Guccifer 2 and “Russian” Metadata

The DHS-FBI intel assessment of the DNC hack concluded with “high confidence” that Guccifer 2 was a Russian operations, but provided (literally) zero evidence in support of their attribution. Ever since Guccifer 2’s surprise appearance on June 15, 2016 (one day after Crowdstrike’s announcement of the DNC hack by “Russia”), there has been a widespread consensus that Guccifer 2 was a Russian deception operation, with only a few skeptics (e.g. Jeffrey Carr questioning evidence but not necessarily conclusion; Adam Carter challenging attribution).

Perhaps the most prevalent argument in attribution has been the presence of “Russian” metadata in documents included in Guccifer 2’s original post – the theory being that the “Russian” metadata was left by mistake. I’ve looked at lots of metadata both in connection with Climategate and more recently in connection with the DNC hack, and, in my opinion, the chances of this metadata being left by mistake is zero. Precisely what it means is a big puzzle though.

Reliance on “Russian Metadata” in Attribution

Lest anyone believe that it is wildly improbable that US attribution is based on anything as flimsy as such metadata, I’ll provide a series of excerpts from leading articles. In making this selection, I’ve tried to find relatively authoritative articles. I’m unaware of any dissenting articles in mainstream media.

However, considering a long trail of breadcrumbs pointing back to Russia left by the hacker, as well as other circumstantial evidence, it appears more likely that Guccifer 2.0 is nothing but a disinformation or deception campaign by Russian state-sponsored hackers to cover up their own hack—and a hasty and sloppy one at that…

it’s “more likely than not” that the whole operation, including the Guccifer 2.0 part, was orchestrated by Russian spies, according to Thomas Rid, a cybersecurity expert…

The leaked documents contain metadata indicating they’ve been opened and processes on multiple virtual machines, as the independent cybersecurity researcher known as Pwn All The Things pointed out on Twitter on Wednesday. Some of these machines had different configurations, including one with the Cyrillic language setting and the username of “Iron Felix,” referencing Felix Dzerzhinsky, the first head of the Soviet intelligence services.

But there’s something funny about those Word files. While most are listed as originally written by Warren Flood, the name of a political strategist for the Democratic party, all five are listed as being most recently revised by someone named “Феликс Эдмундович,” an apparent pseudonym and reference to early Soviet hero Felix Dzerzhinsky.

Other firms agreed that it was possible, if not likely, that Guccifer 2.0 was created by the same Russian state-sponsored actors originally described in the hack.

We still don’t know who he is or whether he works for the Russian government, but one thing is for sure: Guccifer 2.0—the nom de guerre of the person claiming he hacked the Democratic National Committee and published hundreds of pages that appeared to prove it—left behind fingerprints implicating a Russian-speaking person with a nostalgia for the country’s lost Soviet era.

Exhibit A in the case is this document created and later edited in the ubiquitous Microsoft Word format. Metadata left inside the file shows it was last edited by someone using the computer name “Феликс Эдмундович.” That means the computer was configured to use the Russian language and that it was connected to a Russian-language keyboard. More intriguing still, “Феликс Эдмундович” is the colloquial name that translates to Felix Dzerzhinsky, the 20th Century Russian statesman who is best known for founding the Soviet secret police. (The metadata also shows that the purported DNC strategy memo was originally created by someone named Warren Flood, which happens to be the name of a LinkedIn user claiming to provide strategy and data analytics services to Democratic candidates.)

Exhibit B is this opposition research document on Donald Trump, the presumptive Republican presidential nominee. Exhibit B is also written in Word. Several of the Web links in it are broken and contain the error message “Error! Hyperlink reference not valid.” But in a PDF-formatted copy of the same document published by Gawker a few hours before Guccifer 2.0’s post went live, the error messages with roughly the same meaning appear in Russian.

The most likely explanation is that the Russian error messages are an artifact left behind when the leaker converted the Word document into a PDF. That kind of conversion would be expected if the leaker’s PC was set up to use Russian.

All three pieces of evidence were teased out of the documents and noted on Twitter by an independent security researcher who goes by the handle PwnAllTheThings. ..

Although the proof is not conclusive, we assess Guccifer 2.0 most likely is a Russian denial and deception (D&D) effort that has been cast to sow doubt about the prevailing narrative of Russian perfidy.

There are signals that appear purposefully left behind to make a compelling case for a non-state Russian or Eastern European actor operating independently, such as cyrillic references to Felix Dzerzhinsky.

Rid, Motherboad Vice, July 25

The metadata in the leaked documents are perhaps most revealing: one dumped document was modified using Russian language settings, by a user named “Феликс Эдмундович,” a code name referring to the founder of the Soviet Secret Police, the Cheka, memorialised in a 15-ton iron statue in front of the old KGB headquarters during Soviet times. The original intruders made other errors: one leaked document included hyperlink error messages in Cyrillic, the result of editing the file on a computer with Russian language settings. After this mistake became public, the intruders removed the Cyrillic information from the metadata in the next dump and carefully used made-up user names from different world regions, thereby confirming they had made a mistake in the first round.

Cyberresearchers found other clues pointing to Russia. Microsoft Word documents posted by Guccifer 2.0 had been edited by someone calling himself, in Russian, Felix Edmundovich — an obvious nom de guerre honoring the founder of the Soviet secret police, Felix Edmundovich Dzerzhinsky. Bad links in the texts were marked by warnings in Russian, generated by what was clearly a Russian-language version of Word.

The accidental inclusion of Russian-language metadata in some of the leaked files, as well as some error messages that were printed in Russian. In later releases of the same files, those messages were removed.

Guccifer 2’s June 15 Cut-and-Paste

Adam Carter (g-2.space) has been the leading critic of the above theory. I’ve relied on his ideas in the following exposition, but my approach is also heavily influenced by my Climategate experience.

First of all, the metadata in controversy is not the file metadata which one sees in directory listings, but internal Word metadata (e.g. author, default language). If you simply upload a Word document to a public location, you don’t change its internal Word metadata. There are dozens of such examples both in Climategate and even in the Guccifer 2 cf.7z and ngpvan.7z dossiers.

In Guccifer 2’s first drop (June 15), Word metadata was changed in four documents (1.doc, 2.doc, 3.doc and 5.doc). In the first three documents, G2 successively cut-and-pasted the contents of three documents (Donald Trump Report, Dec. 19, 2015; 2016 GOP Presidential Candidates, May 26, 2015; HRC Election Plans, May 26, 2015) into a single (older) document template (perhaps emptied document), which had originated with Warren Flood, a former employee of Joe Biden, and which had been modified prior to insertion of the fresh contents. G2 set the user name for the Word session as Феликс Эдмундович, Felix Edmundovich [Dzershinski, the first Cheka director.] The default language of the Warren Flood template had been modified to Russian. The document itself is in RTF (readily readable in Notepad using techniques described by Carter at g-2). Originals of the three documents later traced by Jimmysllama to Podesta emails 30498, 55782, 3405

For all three documents, the very first line of the RTF sets default language to Russian (lang1049):

Later in the RTF, Felix Edmundovich in Cyrillic is introduced through the following line:

A fourth Word document in the June 15 dump (Promises and Proposals – National Security and Foreign Policy, Sep 4, 2008) was opened and saved by user “user” without corresponding changes to metadata.

The fifth Word document in the June 15 dump (National Security Transition Planning, undated) originates from the 2008 Obama transition. It does not use the Warren Flood template. User Феликс Эдмундович changed the default language to Russian and saved.

These operations all took place in a single half-hour in the early afternoon of June 15. The Warren Flood template was “created” at 13:38 with the first three documents saved by Феликс Эдмундович at 14:08, 14:11 and 14:12 respectively. The fifth document was created by jbs836 at 14:13 and saved by Феликс Эдмундович at 14:13.

None of these operations were required in order to upload the documents – indeed, they required additional, otherwise pointless work. The only changes to the documents were the setting of the default language to Russian and setting of the username to Феликс Эдмундович. When these metadata were (quickly) discovered, the discoverers proclaimed that these metadata had been exposed to them by “mistake” – a wardrobe malfunction, so to speak.

Pwnallthings

Within a few hours, Matt Tait (blogging as @pwnallthings) noticed the “Russian” metadata in the G2 documents, pronouncing it as a laughable “Russian opsec fail” by the very same Russians to whom Crowdstrike had attributed “superb” “tradecraft”:The other “smoking gun” was the appearance of Cyrillic characters in the version of the Trump oppo research published by Gawker as a pdf – occurring in converting the Word document to pdf (with Russian default language).

Follow-up Guccifer 2 Posts

When the Феликс Эдмундович alias was “discovered”, Guccifer 2 reacted by posting up 8 documents on June 17 with username Ernesto Che [Guevara], 10 documents on June 30 with username Chen Du and 4 documents on July 6 with username Nguyen Van Thang, after which he didn’t bother with such artifices.

In an “interview” on June 21, Guccifer 2 said that these usernames were a form of “watermark” [translated from Romanian filigranul”].Adam Carter

At his webpage, Adam Carter has eloquently ridiculed the idea that Guccifer2’s “Russian” metadata was left by “mistake”. Whereas Jeffrey Carter has stated that there is nothing in Guccifer 2’s conduct that is inconsistent with him being an unaffiliated hacker, Carter has argued that Guccifer 2 is a false flag operation carried out by Crowdstrike on behalf of the DNC (rather than a false flag operation carried out by the Russians.)

Conclusion

If I encountered a document which had been most recently modified by a user using the pseudonym “J. Edgar Hoover”, I would not jump to the conclusion that the document originated with U.S. counter-intelligence or police. If anything, I would presume the opposite – that the username was satirical.

When a document is opened in Word for no purpose other than to change the default language to Russian and change the user name to Феликс Эдмундович, I would not jump to the conclusion that they had done so accidentally or attribute the subsequent exposure of “Russian” metadata to a sort of wardrobe malfunction. I would presume the opposite: that whatever I saw was being shown to me intentionally.

To the extent that exposure by mistake is being relied on for attribution of Guccifer 2 to Russian intelligence services, it is worthless as evidence and an embarrassment to the security firms and intel community who promulgate it.

Could one picture a circumstance in which an insouciant Russian intelligent service intentionally signed their own name to the Guccifer 2 hack? Why would they want to stick a finger in the US eye so ostentatiously?

Can one picture a circumstance in which a hacker (US or eastern European) might want to misdirect towards Russia? Hackers don’t want to be caught and put in jail. Anything that they say has to be taken with one or more grains of salt. Guccifer 2 has no obligation to say things that would help him get caught. If the US intel community is convinced that “Russia” hacked the DNC, they aren’t going to look for hackers in the US Eastern time zone. At the time, there was no “Russia, Russia” hysteria and little reason for G2 to think that a little misdirection could cascade into an international incident. Or the explanation may be something else entirely.

The bottom line is that the “Russian metadata” (“breadcrumbs”) are worthless for attribution, let alone attribution at “high confidence”. I’ll survey other lines of G2 attribution separately, but they are, if anything, even worse.

1. as I understand it, the Russian warnings were automatically generated in pdf conversion and do not exist in doc version. I.e. NOT typed in.
2. Probably can be done by cut-and-paste. I cut-and-paste Cyrillic text into my post though not exactly the same. I suspect that one can do so into Username as well.

After reading Steve’s words and the many comments on attribution, I now think it UNLIKELY that Russian fingers were the first ones messing around. I suspect 2 or more to have gamed the system with false flag stuff, tongues in cheeks, just wanting to put the cat amongst the pigeons
At this point, “don’t know” seems appropriate except to someone wanting to sling mud. YMMV

“Why would they want to stick a finger in the US eye so ostentatiously?”

In other circumstances, I can think of many reasons why the Russians might want to “stick a finger in the US eye” but none of those reasons apply if the main point of the whole operation was to get Donald Trump elected President. None of the material provided by G2 was damaging to Hillary; the material was somewhat damaging to Trump and, more importantly, could be used to discredit the Wikileaks release. Whoever he was and whatever else he was doing, G2 was trying to get Hillary elected.

“At the time, there was no “Russia, Russia” hysteria and little reason for G2 to think that a little misdirection could cascade into an international incident.”

The hysteria has certainly grown over time but this was obviously not an accident caused by a “private hacker’s” attempt at misdirection. The Crowdstrike attribution to Russian was made public on June 15 and, as if by magic, G2 appears the same day to apply dirty Russian fingerprints to the metadata. That timing might possibly be an amazing coincidence but please note that, prior to G2’s appearance, Crowdstrike and the DNC had no basis for asserting that the Wikileaks source was a hacker at all, to say nothing of a Russian hacker. G2’s claim to be the Wikileaks source (in the face of Wikileaks’ denial) is the sole reason that anyone has to connect Russian hacking to the 2016 Presidential election. From the point of view of a hacker who was also the real Wikileaks source (whether that person was a Bernie supporter, a Trump supporter, a non-political private hacker or even the GRU) any “Russian hacker” misdirection was unnecessary and only tended to increase the chances of getting caught by, among other things, causing the authorities to look a hackers rather than leakers.

Although somewhat OT from the subject of hacking, the famous Trump Tower meeting with Donald Jr. and others has a similar issue. If the Russians set up the meeting to help Trump get elected, why didn’t they deliver the “incriminating” documents which were supposed to be the point of the meeting? If they didn’t have incriminating documents to deliver, why pretend otherwise to get a meeting with Trumpites when, at best, the existence of the meeting only provides an excuse for further FBI surveillance?

I did not find this “justsecurity” writer impressive at all. It is clear he is aware of some of the general allegations against Cohen in the dossier, like travelling to Prague, but has not read the dossier on details of the criminal and suspicious activities alleged. A bunch of his early questions would be answered if he read the dossier. I don’t think he read it at all.

Yes, the Russian whiskers were obviously intentional and highly visible goading, made most apparent by choice of author AKAs, screaming, “I’m Russian.” But there is another more sophisticated trail to Russia laid by G2 in his email electronic trail, as outlined by cyber security company Threatconnect’s article updated 7-26-16.

It’s fairly technical and I would like Brandon or other techies to give the article a read. But I see the bottom line is that G2 used a French AOL server from a VPN traced to a domain name registered under the name James Dermount in NYC.

Without burdening with a very technical article quote, it seems that although the domain cannot be traced to Russia the pre-2004 registrant of the domain is connected with Russian online scams. So this deeper analysis is likely what the IC has been relying on. But for a reporter to include this in their story they would have to say: “The DNC hacker goaded by leaving a Russian business card but when the card was further analyzed we, through sophisticated analysis, unmistakable Russian fingerprints were found.” It doesn’t exactly sing.

mulling this over, there’s another possibility. I can picture the “cheap Russian make-up” as an anti-Crowdstrike joke by a reddit-type hacker – not really expecting the joke to be taken seriously. The Guccifer persona also being a clown costume.

Wouldn’t it have to be a “pro-Crowdstrike” joke? G2 is ersatz confirmation of everything Crowdstrike claimed about Russian hacking (except the donor lists which are subject to periodic release anyway) and discredited the Wikileaks release of Crowdstrike’s client’s e-mails (mostly collected after Crowdstrike’s involvement). What hacker makes “pro-Crowdstrike” or “pro-Hillary” jokes?

The story does not sing (even without my typing). But the question then becomes how air tight is Threatconnect’s Russian connection. In reading again it seems they are claiming the previous VPN domain name’s registrant, who is apparently Russian, is currently associated with a common host, Elite VPN Service, through the secure shell host (SSH) and Point-to-Point Tunneling Protocol (PPTP) fingerprint. Apparently this shows that G2’s VPN host server is a clone of servers used by Elite VPN Service. But Threatconnect could not get access to this server by subscribing to Elite and this shows that the server is for exclusive use. (Or, it means G2 is an extremely sophisticated spoof of a Russian actor.)

Questions to Brandon and others” Can hacked servers be cloned? Is Threatconnect’s analysis airtight? If Russian, is it the FSB? If so, what is G2’s mission? Threatconnect claims it’s “denial and deception” (D&D). If that is correct then perhaps skeptics like Adam Carter and Jeff Carr were supposed to punch through the obvious Russian whiskers, and it was foreseen G2 would provide strong confirmatory narratives for both sides of the political divide in the US. If this is true it’s incredibly ingenious. Perhaps the Russians even deceived Assange and murdered Rich to stir the pot more.

If G2 is the creation of the DNC of Crowdstrike then it was also a success (unless tumbling down in the Awan or Rich investigations).

IP used was default Elite-VPN IP. IT is not seen on ThreatConnect screenshot becasue its default one. So this was not “clone of server”.
And even more surprising: neither ThreatConnet nor CIA/NSA never contacted admins of elite-VPN and asked for any logs.

You should update yourself with Adam Carter’s investigation. Not only has he debunked Threatconnect’s vpn story, he’s shown by contacting the relevant host that Threatconnect never bothered to do the same.

“It is important to note that the IP address seen in the Guccifer 2.0 AOL communications – 95.130.15[.]34 – is not listed as an option within Elite VPN Service. Although it has an identical SSH fingerprint and has the exact same port (1723, PPTP) open as the listed options. This demonstrates the server was cloned from the same server image as all the Elite VPN servers but may be a private or dedicated version of the service.”

Whatever value that link may have, it does not represent the intelligence community’s assessment of Guccifer 2.0’s involvement with the intrusion into the DNC’s server. My question was asking after what government agencies have concluded/stated not what a single cybersecurity firm has concluded/stated.

Open them and ctrl-f for what you are looking for. Guccifer 2.0 is barely mentioned.

“We assess with high confidence that Russian military intelligence (General Staff Main Intelligence Directorate or GRU) used the Guccifer 2.0 persona and DCLeaks.com to release US victim data obtained in cyber operations publicly and in exclusives to media outlets and relayed material to WikiLeaks.”

“Public Disclosures of Russian – Collected Data. We assess with high confidence that the GRU used the Guccifer 2.0 persona , DCLeaks.com , and WikiLeaks to release US victim data obtained in cyber operations publicly and in exclusives to media outlets. Guccifer 2.0, who claimed to be an independent Romanian hacker, made multiple contradictory statements and false claims about his likely Russian identity throughout the election. Press reporting suggests more than one person claiming to be Guccifer 2.0 interacted with journalists.”

Another motive to attribute this DNC breach to “Russia”: preemptively smear Wikileaks, that nasty club that showed too much of US gov. cyber offensive tools / Ops, both international as well as domestic .

“When a document is opened in Word for no purpose other than to change the default language to Russian and change the user name to Феликс Эдмундович, I would not jump to the conclusion that they had done so accidentally or attribute the subsequent exposure of “Russian” metadata to a sort of wardrobe malfunction. I would presume the opposite: that whatever I saw was being shown to me intentionally.”

I agree. I think the question is who would want to implicate the Russians. Everybody seems to have forgotten that allegedly the same actor tried to break into the RNC. Cover all the bases so as to stir the pot between the US and Russia. A rich disgruntled Russian exile? An eastern European nation? Maybe both.

An obvious possibility to me is Guccifer 2.0 wasn’t involved with the intrusion into the DNC servers at all. People familiar with the original Guccifer will remember back in May 2016, he claimed to have repeatedly hacked into Hilary Clinton’s private server, a claim which was an obvious lie. June 2016 is when Guccifer 2.0 showed up claiming to have hacked into the DNC servers, a claim accompanied by documents stated to be from this intrusion. In reality, the documents Guccifer 2.0 disseminated were not taken from the DNC servers.

As far as I can tell, there is no evidence Guccifer 2.0 broke into the DNC servers. It seems possible he was simply a person taking credit for something he never did. Under this view, the choice of his name, Guccifer 2.0, was an apt reference to the original Guccifer making similar false claims just a few weeks before. Adding Russian metadata to the documents he released would have been him creating a smokescreen to make his story seem more believable (to some people). That would seem in-character given the other lies he has told. Referencing the Russian version of J. Edgar Hoover would just be further gamesmanship on his part.

Which is why I asked above for a link/reference for the claim the “DHS-FBI intel assessment of the DNC hack concluded with ‘high confidence’ that Guccifer 2 was a Russian operations” I am not aware of any meaningful evidence Guccifer 2.0 was involved with the hack, and I certainly haven’t seen any official report stating he was.

I realized it has been a long time since I looked at the history of Guccifer 2.0’s actions, and I realized my memory of things was faulty. My comment (currently in moderation) is wrong to say Guccifer 2.0 didn’t release DNC documents. He did. The documents he lied about were the ones he claimed to take from the Clinton server.

So he did have access to (at least some) material from the DNC servers. That doesn’t mean he had to have been involved with the hack, however. Below, Lurker explains one theory about who Guccifer 2.0 might have been that a number of people believe.

Personally, I don’t care about who Guccifer 2.0 may or may not have been (hence me posting with a sloppy memory). I haven’t seen the intelligence community make any claims about his identity, and his identity has had no influence on my views on what may or may not have happened. When a person repeatedly lies and even goes as far as creating fake evidence, you obviously can’t trust anything they say. Maybe you can draw conclusions from examining his lies for clues, but I’m skeptical.

To show why, consider this fun theory a friend of mine suggested: Imagine two Russian groups broke into the DNC servers. One group, which had greater access to the network, planned to release a large amount of material to the public in order to hurt the Democrats. The other group, seeing they were going to lose any role in the ongoing discussion, pre-emptively released material they had obtained under the Guccifer 2.0 identity. In the process, they created a smokescreen so as to be able to continue to have a role in discussions via that controversy since they knew the other group had a monopoly on releasing content due to it having had greater access. Silly? Sure. But is it any sillier than the idea the DNC is behind Guccifer 2.0?

Seems to support my recollection that nothing in Guccifer 2.0’s early releases were taken from the DNC server. According to the author, the source of about half the documents is not known, but those documents never showed up in the release at Wikileaks. That would seem to make using any information about Guccifer 2.0 to draw conclusions about whether or not the Russians released a trove of documents to Wikileaks more difficult.

I suppose it shows how muddled things are (for me) that even when I think I’m wrong, I can wind up being wrong. I’ll try to do a better job of reviewing/checking any information I might post from here on.

Brandon, it’s easy to miss things if you’re not following them. You say: “I haven’t seen the intelligence community make any claims about his identity, and his identity has had no influence on my views on what may or may not have happened.” As noted in a separate comment, the DNI intel assessment attributed Guccifer 2 to Russian intelligence. I believe that it is therefore relevant both in terms of what might have happened and in terms of assessing the quality of IC assessments.

Yup. I agree. That’s why I asked for it and said I hadn’t seen it, not that it didn’t exist. I haven’t been following this all that closely so I’m fully aware there may be things I missed.

The report doesn’t explain why they think Guccifer 2.0 was a Russian ploy (or their reasoning on much of anything, for that matter) so we can’t know what their reasoning was, but I am rather skeptical of their conclusion on this point.

yes, I entirely appreciate the difference when you’re not following something. I hadnt followed Syria at all prior to this year and knew nothing about issues that had been intensely debated.

I’m strongly influenced in my perspective by my Climategate experience, where, on the one hand, the climate community’s reaction was to blame it on “Russia” trying to hack Copenhagen and because it was “sophisticated”, and, on the other hand, the skeptic community’s preference was for a leak. Both tendencies obviously apparent in DNC hack attribution.

Fairly soon in the process, I arrived at the conclusion that it was a hack by a lone individual who was a thorough reader of skeptic blogs. The selection of emails – attention to Climate Audit interests, especially Yamal, and lack of interest in temperature dataset controversies – made sense for a Climate Audit reader, but not for Russian intelligence services. That was clinched when metadata on Yamal documents showed access shortly after a CA post on the topic. When metadata on document access showed that access began in mid-September, it made impossible the police and counter-intel suggestion that the incursion began as a hack against Copenhagen, which didn’t make sense anyway (Why choose UEA?) I have no idea who Mr FOIA is, but I’d be amazed if he hadn’t commented at WUWT or CA over the years in some name that we’d recognize.

When people talk about risks taken by G2: remember that Mr FOIA first placed the dossier on RealClimate. There was a kind of madness to that. I’m increasingly persuaded the idea that the “Russian metadata” was a joke. Nothing as grand as a Crowdstrike misdirection or GRU “mistake”.

Both the Wikileaks source and G2 had access to the DNC server but the Wikileaks source provided information which was damaging to the Clinton campaign and G2 provided information which was helpful to the Clinton campaign (in part, by discrediting the Wikileaks source as a Russian hacker). I assume that the Russians IC is attempting to hack the DNC everyday of the week and twice on Sunday. However, the only connection between “Russian hacking” and the 2016 US Presidential election is provided by G2. G2’s claim that he was the Wikileaks source produced: (1) an Independent Counsel, FBI and IC investigation of the Trump campaign and multiple anti-Trump leaks of information obtained during the investigation; (2) at least four Congressional investigations of the Trump campaign; (3) lots bad press for the Trump administration; and (4) anti-Russian sanctions for interference in the election.

The DNC had motive, means and opportunity for all of the foregoing. Best of all, it would not even be against the law if the perpetrators were caught by some ultra-secret NSA spook-tech. If there was no hack, there was no crime. It is not against the law to put false information on the internet. There is no false police report, Crowdstrike merely reported a hack which they attributed to Russians, good luck proving it even if it wasn’t true. Crowdstrike did not vouch for G2 or for his claim that he was the Wikileaks source.

A rogue element of the Russian IC would not only be thwarting the interest of another branch the Russian Intelligence Community and the Russian State in the short term (and making exploitation of potentially the greatest coup in history of intelligence operations impossible in the long term), it would also directly damage the economic and political interests of the Russian State regardless of the outcome. If found out, and they would certainly be found out if the hypothetical were true, they would likely all be shot as traitors after a secret trial. Does the actual GRU put “Russian fingerprints” on the metadata under those circumstances?

yes. I was very reluctant to write up my ideas for the same reason. Not that my ideas rose beyond general characterizations – that Mr FOIA was a CA reader. He must have been diligently reading CA all through that September. UK counter-intelligence were so fixated on something HUGE that they never examined the chain of events at CA.

Another important point: I am convinced that the timing relates to the Mole Incident in August, when we were having fun with UEA and all sorts of readers were foraging through their FTP site following my Mole post. A couple of readers told me that they stumbled into private areas of the website and notified UEA as well. My guess is that another reader had the same experience and followed his nose deeper into the system. If and when we ever learn the identity of Mr FOIA, my guess is that he’ll turn out to be someone who commented occasionally and whose handle we’d recognize, but I suspect that he was a very-seldom commenter and not a commenter with a reputation in his own right. Just a guess.

The CA audience was very large at the time and there were a lot of commenters with serious computer skillz.

I found out there is some interesting information if you examine the Climategate dossiers closely for forensics. I don’t know if anyone else has made the same observations, but nobody has talked about them in public.

the most detailed discussion of forensics was by “Frank” at iji (or similar). Although Mr FOIA had bleached access times for emails as documents, he didn’t bleach access times for documents, which showed access beginning in mid-September, concentrated in early October, through to release. Some unbleached Yamal data was literally within a few hours of a major Yamal post. This was “public” information though you have to know the topic to look for it. These access times are conclusive (to me) that Mr FOIA was not a Russian intelligence service operation against Copenhagen, since it was far too late in the day to commence such an esoteric operation for such a purpose.

Though I also think that Mr FOIA worked rapidly to get the dossier out before Copenhagen because of the interest – something to bear in mind when one thinks of a probable rush to get the DNC emails online before the DNC convention. The timing of the release doesn’t necessarily shed light on the original motive.

almost exactly at the same time as G2 events, memoranda in the fraudulent Steele dossier were peddled to the US intel community. I’m convinced that the hair-on-fire CIA task force in August 2016 was based on Steele memoranda. I’m certain that fraudulent Steele dossier memoranda were used in the Gang of Eight briefing in August 2016 and for FISA warrants on Manafort and Carter Page. Comey was knee-deep, no waist-deep, in Steele dossier fantasies when he first met Trump. He deceived Trump about how the FBI viewed the dossier. Then immediately after the meeting, the fact that Trump had been briefed on the dossier was leaked to CNN, thus enabling the media to publish the dossier.

one of the oddities (to me) of climate academics is that they are so invested in being “smart” that they do things that make them look crooked, rather than just admitting that they’d done something stupid. Exact opposite of businessmen.

“So, is the US Intelligence Community really this dumb or are they just pretending? If they are only pretending to dumb, why?”

Let’s say Edward Snowden is correct and the IC should have the tools to trace the G2 emails even better than Threatconnect, and that it really is the GRU behind FB, CB, G2 and DNC WL. Then we have the following:

1) Embarrassment to US cyber security and the disruption caused by insecurity.

2) Embarrassment to the Clinton campaign and DNC through WL.

3) Embarrassment to Trump by being connected with circumstantial evidence of Russian contacts and perhaps being helped by a foreign US adversary.

4) Disruption of the US in general by media and government distraction and exploitation of political divisions by leaving evidence pointing to Russians for a MSM honeypot, evidence which falls apart on the slightest rigor of forensics, which enrages Trump voters.

This would be the perfect Russian black op except for Russia taking the blame for it and suffering sanctions.

The key is the Elite VPN Services clue. If Threat connect is right then we have to lean toward Russia. If they are wrong it must point to a sophisticated framing of Russia, which it is hard to believe that Russia would do even in the Alice and Wonderland world of intelligence.

I have some notes on the Elite VPN incident and will try to write them up.

But a Climategate example that prevents me from drawing too much of a conclusion. In 2013, Mr FOIA sent an email to me and a couple of other bloggers, saying that he was a lone individual and not from the UK (i.e. a hack, not a leak). He sent the email from a “burner” email address from an easily registered address (think something like Yahoo – but not Yahoo) in a foreign jurisdiction which would not readily yield to US or UK police inquiries. My guess is that he probably set up the account through one or more proxy servers. Secondly, Mr FOIA’s initial upload to realclimate was through proxy server in Turkey or Saudi Arabia and his second upload was to a Russian server, presumably through one or more proxy servers.

Leaving aside the later “Russia, Russia” stuff, using a burner email address in a jurisdiction that is somewhat jealous of independence (France) through one or more proxy servers is how Mr FOIA approached contact as well.

There are also important differences. Mr FOIA’s email contacts were with sympathetizers, while G2’s were with US political websites (The Smoking Gun, Gawker, Motherboard Vice, Vocativ, The Hill). Seemingly too many, but Mr FOIA contacted or linked at multiple blogs over the years.

I’m not trying to exaggerate the parallels, merely trying to elucidate characteristics for comparison.

Thinking back, I don’t remember that the DNC hack being such a huge issue in real time.

Didnt it first become an issue because of the October 7 intel community finding. At that time, the intel community, especially John Brennan, was consumed by teasers from the fraudulent Steele dossier which was the first document that purported to link Trump to the DNC hack. The development of the DNC hack theory and the fake dossier seem to go hand in hand.

My conclusion is that it was DNC and probably CrowdStrike.
APT28 and APT29 probably indeed had malware on DNC servers. But CrowdStrike was not able to detect what files have been stolen and they didnt have any good proofs that Russians were indeed involved.
Plan was to not mention this hack at all.
After Assange announced he has DNC documents, they scrambled and in two days DNC and CrowdStrike both released statements that Hack happened. (see tweets I linked in in comment). Both mentioned that file “Trump opposition report” was stolen.
One day after this Guccifer appeared and was mocking CrowdStrike and talking to journalists, and wasnt able to convincingly explain how he hacked servers. And he releases “Trump opposition report”.

Based on resutls of Guccifers publications and actions I believe that his purpose was:
1. Convincingly assert attribution to hacking to Russia, by fooling/convincing few tech journalists and general public
2. Divert attention from WikiLeaks documents (that were released 5 weeks later), by publishing not damaging documents. First thing he published was “Trump opposition report”. That contained only bad things about Trump. Do you think this damaged DNC?
3. Guccifer claimed he was source of WikiLeaks, but never proved it in any way.
4. Guccifer claimed he has access to DCLeaks (known Russian controlled leaks webpage). But again all he had was password to part of site where he uploaded documents. He failed to provide any other proof that he admins that page. (DCLeaks shares passwords with journalists too if they promise coverage)
5. All other documents Guccifer released were unimportant or very old
6. Guccifer 2.0 contacted and was in communication with few poeple, Oliver Stone for example, was later accused of colluding with Russians based on this.

So if we ask who benefited from G2? There is only one answer.
Why would real hacker expose himself so much and risk getting caught?

There is a lot more evidence that all points towards this scenario. Its all found on: http://g-2.space

the seemingly pointless risks taken by Guccifer 2 are a large puzzle. On the other hand, there are some very self-confident people with hacker capability – Kim Dotcom comes to mind, but lots of redditors seem in that type.

First, the risks aren’t pointless (and also aren’t even risks) if G2 is the DNC/Crowdstrike. If G2 is the DNC or Crowdstrike the “risks” are absolutely necessary and/or helpful (depending on which risk we are talking about) to discredit the Wikileaks disclosures, gin up an FBI investigation and create a “Russian election hack” narrative.

Second, although I do agree that there are actual hackers (and others) who might take risks of this nature out of ego driven anti-authority sensibilities, it seems to me that a hacker with that motivational base would not not be “objectively pro-Crowdstrike” as this hacker is. Consider, for example, your observation (which I missed until your post) that a majority of the DNC e-mails, including some of the most damaging ones, were taken from DNC servers only after Crowdstrike arrived to fight the filthy Russian menace. If the Wikileaks source was a hacker he should have been laughing his a$$ off at Crowdstrike’s self-described heroism. It seems to me that the type of person we are talking about would have been pointing and laughing at the Crowdstrike goons during his first public appearance and every day thereafter. Would a hacker with the usual anti-authority feelings and a big ego leave it to a semi-retired Canadian mining executive to tell the world how thoroughly he had humiliated Crowdstrike?

hmmm, good point. Seems like the G2 persona of June 15, gloating against Crowdstrike, ought to have rubbed it in.

Reminds me of another point when I compare Mr FOIA to G2. Mr FOIA’s curation of CG1 emails was really insightful given what seems to have been a very short editing period. (Mr FOIA appears to have obtained access only in mid-September.) Mr FOIA had a thorough grasp of the issues from Climate Audit perspective – far better than nearly all commentators.

As compared to Mr FOIA’s insightfulness, G2 seems completely hamfisted. His selection of documents seems uninspired. Makes me think that he might have delivered a much bigger bundle to Wikileaks, which was edited down.

Nor did the DNC hack really have any impact on the election. There was nothing relevant in it about Hillary. IT caused a little embarrassment for Wasserman Schultz, but nothing that hurt the Clinton campaign. I’m trying to remember who first pointed out the more damaging emails. In Climategate, Mosher played an important role in shaping perception: he had the dossier for about 2-3 days before it was in the wild and on the first day, set out what he thought were the Greatest Hits at Lucia’s, at CA and at WUWT. Anything that didn’t get oxygen in those first days never really got much traction as an issue. It would be a useful dig-here to see who spotted the Greatest Hits in the DNC hack, such as they were.

That’s pretty much what I had in mind. Using the Guccifer name a month after the original Guccifer lied about having broken into Hilary Clinton’s server seems noteworthy. There was no record of Guccifer 2.0 until a month after Guccifer was caught lying about having broken into a server, a server owned by Clinton. Guccifer 2.0 then showed up the next month, claiming to have broken into the DNC network while using documents as “proof” which may well not have come from that network. Not that long after, he then lied about having broken into Clinton’s server, the very thing the original Guccifer lied about, while providing “proof” which clearly wasn’t taken from her server.

I haven’t seen anyone mention this rather remarkable coincidence. I think that’s weird. I mean, if my political/social inclinations were different, and I had lower ethical standards, I could see myself trying to pull off a prank resembling what Guccifer 2.0 has done. That’d be hilarious. Some random nobody just shows up and manages to convince half the world he’s either a secret Russian agent or a false flag operative?

Please remember that even if the server used by G2’s AOL email to The Smoking Gun was not a Russian government exclusive use server of Elite VPN Service, but was a publicly available server from that Russian malware associated host, this puts sophisticated fingerprints to G2.

Questions:

1) Would a pranking Brandon or a Reddit hacker have been so detailed to leave the Elite VPN forensic trail to Russia?

2) The DNC hack and resulting “Russia, Russia” has dominated US news for a year. Considering the importance and that MSM still cites the Russian clown makeup as evidence, and the technical journals still point to Threatconnect’s analysis, why is Adam Carter [a pseudonym] the only good source of information?

3) If Threatconnect is wrong why isn’t there pressure for them to update their blog?

4) If the US IC is protecting their sources and methods why don’t they at least weigh in on the veracity of the Threatconnect and other analysis published by security firms?

Even without these answers we know that the FB, CB and G2 were top level actors, not pranksters or even Kim Dotcom. There is no way for the US IC to have a “high confidence” of anything only using secondhand information and Crowdstrike supplied forensics. Anyone disagree?

There is no way for the US IC to have a “high confidence” of anything only using secondhand information and Crowdstrike supplied forensics. Anyone disagree?

I think that there’s considerable amount of deception in US intel community assessments, in which they imply supersecret “sources” but in reality they have little more than open source content. I agree that it is impossible for US IC to VALIDLY have high confidence using “using secondhand information and Crowdstrike supplied forensics”, but think that it is entirely possible for them to say that they have “high confidence” despite only using using secondhand information and Crowdstrike supplied forensics”.

My interest in Syria largely arose from puzzlement on low quality of IC assessment of DNC hack. I decided to look at another IC assessment and looked at their assessment of the 2013 chemical attack in Syria. I’m persuaded that the IC assessment made grossly false claims to knowledge of the origin of rockets supposedly used in the 2013 Ghouta attack, which was key evidence in the public conviction of the Assad government as perpetrator. Their represented origin, used in subsequent anti-Syria propaganda, can be shown to be wrong using susequent public information, but has never been retracted. These false claims do not result in opposite attribution, but the next tranche of evidence is much weaker, making “high confidence” impossible.

Imagine that the US governmental IC is quite happy with this Russia-Trump link through Crowdstrike and want to keep it as murky as it is: than most pieces of this puzzle fall in place. Keep The Boss on your leash just like in the good old 1950s and 60s.

For those interested in the sarin attack in Ghosts in 2013, Wikipedia provides an interesting and quite detailed article. French and UK intelligence made the same assessment as U.S. intelligence.

Given the fissures in Syrian society, I would imagine that human intelligence was a factor in the conclusions, although such sources would not be something made public.

The article also details efforts by the Syrian government to obstruct and curtail the U.N. investigation, and these efforts succeeded to a large degree.

It was concluded that several hundred kilograms of sarin were used in the attack.
The Syrian government was known to possess many tonnes of sarin (as “precursors” or ingredients;sarin is never made up until just prior to use),whereas the rebels were never known to have such quantities.

MikeN, I can’t say that I have. Is it better than the movie? The movie drove me crazy with how they kept saying Bourne was so amazing at spy stuff yet he did things like walk around in public while making no effort to disguise his appearance. And somehow it worked!

(Though it was nowhere near as bad as the later movies. Trying to work out the logic of the characters in the last couple Bourne movies gives me a migraine.)

of all the dozens of spy and mystery novels that I’ve read over the years, I found Bourne novels unreadable. I hated the short, unliterary sentences. Unsurprisingly, LeCarre is far and away my favorite. A geologist who worked for me about 25 years ago was a friend of Len Deighton’s – I read all of his stuff. I liked Ross Macdonald mysteries and read all of them. All of Dashiel Hammett. I’ve been meaning to take a look at John D MacDonald again – my father used to read them at the cottage and I remember that one of the common themes was crooked developers getting variances to build in areas vulnerable to hurricanes, especially the “big one”.

Vastly better than the movie. It’s amazing how it has almost the same scenes and a completely different plot. Matt Damon is going to have anti-CIA stuff in any movie, including his script of Good Will Hunting. I agree with the non-literary critique, with characters making exposition of psychological analysis, but overall I enjoy the books. Your posts reminded me of the first book.

MikeN, I think it is remarkable how many people are certain they know who Guccifer 2.0 was. The idea we could conclude Russians were involved based on any information available about that identity seems silly, but at the same time, I don’t think we can conclude it was anyone else either.

Personally, I like my friend’s theory: APT-28 is the Russian group which gave material to Wikileaks. APT-29 is a second Russian group which had managed to gain less access into the DNC servers and has created the Guccifer 2.0 so it can play its own role in how things play out. It’s silly, but think about it. What would you do if you were the less successful Russian group to break into the DNC servers? Would you just give up and let the other group do everything from here on, or would you perhaps make a fake identity you can use to cast doubt and uncertainty on all future discussions?

As a rule, I believe you will find discussions more productive if you answer direct questions with a straightforward answer. Responding to questions with other questions, even if to imply some point you think may be clear, will rarely lead to useful conversations.

Ron Graf, that is simply not true. APTs are identified threats, usually groups, not just MOs. You cannot copy an APT. You cannot copy methods and techniques used by an APT, but that does not mean you ate using the APT.

Brandon, there’s a need to distinguish between the use of the tools and hypothesized organizations/individuals using the tools. All that can be observed on the server are indicators of compromise – which points to use of tools. Tools can be used by more than one institution or re-purposed. A key malware example in the DHS report attributed to APT28 (or APT29, I forget) turned out to be publicly available Ukrainian malware.

Jeffrey Carr has acutely observed that people e.g. Crowdstrike too quickly and easily elide between methods and institutions.

Brandon, there’s a need to distinguish between the use of the tools and hypothesized organizations/individuals using the tools.

Yes. That is why I corrected Ron Graf when he used terminology for groups as referring to tools those groups use. I think it would be helpful for people to agree to set of basic facts/terminology.

Tools can be used by more than one institution or re-purposed. A key malware example in the DHS report attributed to APT28 (or APT29, I forget) turned out to be publicly available Ukrainian malware.

See, this is what I am talking about. The malware you refer to is P.A.S. web shell, which in casual narratives keeps getting described as Ukrainian software based on nothing more than the fact the guy who made it claimed to be Ukrainian. People show great skepticism toward official government reports then turn around and state as fact things which an anonymous hacker says.*

For another fact, the report you refer to was not a report on the DNC hack. It was a report on the attempted attacks against U.S. electoral systems. There was a different DHS report released for the DNC attack(s), but it didn’t include the example you refer to. I doubt anyone who read your comment except me knew that. I think most people would assume when you say “the DHS report” you were referring to the one on the DNC hack, the subject of this post.

*This example is a bit bad because the hacker in question surrendered himself to Ukraine authorities who have reported he told them he was hired to customize his program (a service he offered to people who would pay) without knowing he was being hired by Russians, finding out Russians used the customized code in hacks after-the-fact.

On the one hand, that would support the idea this program was Ukrainian as claimed. On the other hand, it would make the conclusion Russians used that software in their hacking, as reported by the DHS report you referred to, seem correct. Either way, unless someone knew about this part of the story, they would be assuming the malware was Ukrainian simply because an anonymous hacker said he was Ukrainian. That seems unwise.

For another fact, the report you refer to was not a report on the DNC hack. It was a report on the attempted attacks against U.S. electoral systems.

The code in question was initially released along with a December 29th, 2016 report. That report was about Russian cyberattacks against the United States in general, but it gave focus to the DNC hack since that was a major story at the time. What’s important to note is while this report was accompanied by an sample of the P.A.S. code, the report itself contained no discussion of it.

February 10th, 2017, a follow-up report described as an “enhanced analysis” was released to provide an “enhanced analysis” of those Russian cyberattacks. That report did not focus on the DNC hacks, and it contained a fairly detailed discussion of the P.A.S. code in question. It also contained numerous technical details about the government’s case for claiming Russia was engaged in a cyber campaign against the United States electoral process.

The reason I want to clarify this is when I said the report Steve McIntyre referred to was not about the DNC hacks, I said that because the previous report did not discuss the P.A.S. malware. A sample of the malware was included in a reference document for the report. The malware itself was not discussed in a report until two months later when it was covered in some detail in a report which did not cover the DNC hacks.

It’s possible McIntyre was referring to a sample of code included in a reference document for the first report rather than anything said in that report itself. However, the December 29th report did not attribute the P.A.S. malware to APT-28 or APT-29. Only the February 10th report did. If McIntyre meant to refer to the December 29th report, he misdescribed what it said.

I’m not sure why we would want to refer to the earlier report though. The February 10th “enhanced analysis” is far more detailed.

Wordfence convincingly likned the PAS malware to the indicators of compromise published in the DHS report. The failure of DHS to accomplish Wordfence’s analysis speaks to their limitations.

What “failure” are you referring to? The initial report was not meant to examine things at such a fine level of detail. It didn’t claim to do so. I don’t see how failing to do something you didn’t set out to do constitutes a “failure” in any meaningful sense. When the DHS set out to give a detailed analysis, it did a better job of than Wordfence.

Moreover, Wordfence did not link “the PAS malware to the indicators of compromise published in the DHS report.” The report itself didn’t list and IOCs. Assuming you mean to include the accompanying data files, Wordfence didn’t link that malware to any of them. It didn’t even attempt to. It discussed IP addresses listed as IOCs, but that it discussed them and also discussed the malware does not mean it “convincingly likned” the two together.

Are you referring to this post where he begins by claiming the DHS says “the DNC was hacked by Russian intelligence services using a Russian malware tool they have named Grizzly Steppe”? Because that post was funny. The DHS never labeled that software Grizzly Steppe. Grizzly Steppe was the name given to the cybercampaign the DHS claimed to have identified, a campaign which used that software as one of its many tools.

If that is the post you have in mind, I don’t see how it “plausibly connected” the hacker to anyone. The final step of the analysis in it is the picture used in a profile by the person who supposedly made the software isn’t a picture of the person whose name is given, but another individual. The implication seems to be that other individual is the hacker. But why? If we believe the hacker was using fake information in his profile page, why should we assume he used an actual image of himself? He could have easily stolen someone else’s photo off the internet and used it as his own.

If there was something more than that you are thinking of, I’d love to hear it. If not, I can’t say I find the idea a hacker using a person’s photograph means the hacker is that person very convincing.

at the same time, I don’t think we can conclude it was anyone else either.

I agree. None of the theories fully hang together. My issue is that the US intel community has assigned “high confidence” that it was the Russian GRU on what seems to be flimsy evidence.

I think that it’s plausible that Guccifer 2 and what Crowdstrike calls Cozy Bear/APT29 are the same. As I understand it, APT28 is observed as family of tools, but some specialists e.g. Jeffrey Carr do not agree that the use of these tools implies “Russia”. The tools are in the wild.

There are important aspects of Alperovitch that I find exceedingly unsavory as a basis for major foreign policy decisions. He’s a member of neocon Atlantic Council, which is a leader of US Russophobia and he himself is virulently anti-Russian. He’s been severely (and in my opinion convincingly) criticized by Jeffrey Carr for major attribution errors, including a subsequent attribution error involving APT28 and Ukraine. He follows Ukrainian hackers who are virulently anti-Russian, but not Wikileaks. One cannot safely rely on him for an anti-Russia diagnosis. Which is different from saying that Russians were not involved. As a parallel, one cannot safely rely on Michael Mann on hockey stick reconstructions, since he’s overinvested in the answer.

Stepping back to what we “know”: we don’t actually “know” that APT28/Fancy Bear was in the system when Crowdstrike arrived. To my knowledge, they didn’t distribute any mirrors of the system as it was when they arrived. While we don’t know for sure what they distributed to other analysts, it appears to be the system as it was later.

Under-analysed in my opinion is the potential role of Ukrainian hackers – both anti-Russian and pro-Russian. They seem to be extremely skillful, with some major exploits e.g. the Surkov hack. Over the past few years, Ukraine has disproportionately driven US foreign policy. Like the Syrian “rebels”, they have a vested interest in getting the US to accomplish things that they can’t do on their own. Could there be some bizarre dynamic here?

Another character in this “Atlantic Council” is the Brit Eliot Higgins who joined them formally in 2016. He started his anti Russia phobia while studying the Syrian conflict, then focused on the Ukraine conflict and even went into the MH17 controversy https://en.wikipedia.org/wiki/Eliot_Higgins

Atlantic Council is not only anti-Russia, but anomalously committed to Ukrainian “nationalism”, even to the extent of trying to launder Stepan Bandera. They have been very active in promoting Ukrainian interests to US congress, with leaders of the Feb 2014 coup being introduced by Atlantic Council to Congressional leaders the following month. These leaders were already well-known to the administration, which had regularly met with them prior to and during the coup,

bmcburney, despite what people say, documents shared by Guccifer 2.0 were not, on balance, helpful for the DNC. Additionally, if Guccifer 2.0 were a false flag operation, why would he have contacted the journalists he contacted? He tried to get local/state reporters interested in material. Why target people on those levels if you’re a false flag operation? Plus, if it was a false flag operation created by the DNC or Crowdstrike, why share documents which weren’t ever shared by the real hacker?

I’m sure there are plenty of other reasons one could bring up. For instance, if the DNC wanted to make it look like Russians hacked them, why do such a bad job of it? Nobody could have anticipated the crumbs in the Guccifer 2.0 documents would have been convincing.

if the DNC wanted to make it look like Russians hacked them, why do such a bad job of it? Nobody could have anticipated the crumbs in the Guccifer 2.0 documents would have been convincing.

I agree. A DNC false flag sort-of fits some elements, but not enough.

One of the lines of argument in attribution articles was “precedent”, but their examples were bizarre: e.g. TV5Monde.

If one begins with cases in which emails have been published to embarrass US political figures, the hacks (to my knowledge) are uniformly by individual hackers or small groups, often of a somewhat anarchistic bent. Think hacks of John Brennan, Colin Powell, Sidney Blumenthal, Sarah Palin, .. . but also Breedlove,… It would be instructive to make an inventory. It’s hard to think why the “Russians” would bother would such chickenfeed as routine administrative documents of the Democratic Party of Virginia in 2010-13.

I think that it’s a fair assumption that the DNC would avoid any disclosures that were truly embarrassing with potential for damage. And “proof is in the pudding”, that is, the DNC did not need to make a “better job” of a Russian hacking. Success was theirs. They knew that their sympathizers in the MSM would respond appropriately. In this view, the DNC reckoned that their advantages would carry the day and they were right.

I should enumerate the DNC advantages: 1, the MSM ready to follow its lead (very big advantage); 2, CrowdStrike, hotshot cyber security firm with big previous success reported in the media, the shine still on them; 3, U.S. intelligence community ready to chip in and add confirmation; 4, Fancy Bear and Cozy Bear and any fool knows that this means Russians.

Although I don’t agree, I understand why you might say that the G2 documents didn’t help Hillary. It’s certainly true that the vast majority of G2 documents are completely innocuous. But that fact itself points toward G2 being a DNC/Crowdstrike false flag. As Steve has pointed out, however, the e-mail curation is curious. G2 supposedly released the DNC’s entire raw, unedited, opposition research file and there was hardly anything in it worth reading. Where, for example, is a reference to the “grab them by the p***y” videotape which appeared in October? Where is all the Steele Dossier stuff? I find it hard to believe that the DNC was unaware of those things prior to June, 2017. These people are supposed to be professionals.

Again, there is the baseline question, if you are trying to help elect Donald Trump (or hurt Hillary) making the DNC opposition research file on Trump the only meaningful contribution to public discourse is hardly the way to do it.

Similarly, I don’t see why G2 agreeing to speak to lower profile reporters shows it was not a false flag. As a false flag or a ego driven hacker, you want maximum publicity (assuming the hacker is sure he won’t get caught) either way and I would kinda get an argument that maybe a Russian or Romanian wouldn’t know who to contact for maximum exposure. But the evidence that G2 isn’t really a Russian or a Romanian is compelling and, even it wasn’t, G2’s English skills are obviously sufficient to figure out which reporters and publications are worth his time and which are not.

As a false flag, however, you should remember that the DNC has to live with the big time journalists after this particular election is over. If the false flag is ever detected, major journalists are not going to like it that the DNC used them to propagate a hoax. The DNC could calculate that a few local reporters would be sufficient to get the story out to the point that major journalists could report it without putting their own credibility at risk should the hoax be discovered. Again, this evidence actually tends to support the false flag theory.

From the point of view of a DNC false flag operation, as long as the additional documents were innocuous (and all were) sharing a few on the G2 site which did not appear on Wikileaks just adds credibility to the G2 hoax without hurting the candidate. The G2 release is the Wikileaks release, minus the damaging e-mails, plus authentic e-mails that don’t matter to anyone. Doesn’t that sound like a DNC false flag?

The problem with claiming that the application of Russian whiskers was too amateurish to be a DNC false flag is that it worked. It continues to work. As of today, I believe a majority of the public and media regard the fact that the Russians “hacked” the election as undoubted truth but the only reason anyone has to connect Russian hacking to the the election is that G2 says he hacked the DNC and the whiskers prove he is Russian.

As far as the DNC was concerned, they only had to make the deception last from mid-June till early-November.

The original Guccifer was certainly a hacker and other hackers were hackers. Hackers certainly exist. None of these things is evidence showing G2 is a hacker.

Pro-Western Ukrainian hackers got their political angle since at least 2004 (Orange revolution) locally and were supported for that by US agencies. Plenty of convenient leaks/hacks there ever after = lots of experience gained.

I’m not incorrect. Even if all of Crowdstrike’s claims regarding APT28 and APT29 were correct (and that’s not impossible) this would only prove that Russians hacked into the DNC servers. Crowdstrike can’t say, and didn’t say, that APT28 or APT29 provided e-mails obtained during the hacking to Wikileaks. Only G2 says he is both the hacker and the Wikileaks source. Only his whiskers say he is Russian. Only the Wikileaks documents matter; the non-Wikileaks G2 documents are meaningless and wouldn’t have any affect on the election.

“Even if all of Crowdstrike’s claims regarding APT28 and APT29 were correct (and that’s not impossible) this would only prove that Russians hacked into the DNC servers”

Right, the whole basis for claiming “interference” in reality rests on the publicity generated by G2.

Reflect, if the announcement that the DNC servers had been hacked by Russia were followed by no other news then the incident would be totally forgot in a week or two. But G2 kept stirring up publicity. Repeat, G2 was the vehicle that publicity was repeatedly stirred up and the means by which the “interference” myth was fixed in the public’s mind. Without G2, there would have been no clamor of interference.

G2 = interference; if no G2 then no clamor, no Mueller, no Special Counsel. The G2 was a stroke of genius.

The G2 persona was instrumental to generating the “interference” clamor. I believe this persona fulfilled the role of shaping the mind of the public and that the persona was contrived and operated for that specific purpose; this was achieved by a months long campaign of public “appearances”, all newsworthy.

It cannot be over emphasized that G2 is the whole basis for the claim of “Russian interference”.

Steve comments: “Stepping back to what we “know”: we don’t actually “know” that APT28/Fancy Bear was in the system when Crowdstrike arrived. To my knowledge, they didn’t distribute any mirrors of the system as it was when they arrived. While we don’t know for sure what they distributed to other analysts, it appears to be the system as it was later.”

Sept. 2015 — The FBI contacts the Democratic National Committee’s help desk, cautioning the IT department that at least one computer has been compromised by Russian hackers. A technician scans the system and does not find anything suspicious.

Nov. 2015 — The FBI reaches out to the DNC again, warning them that one of their computers is transmitting information to Russia. DNC management later says that IT technicians failed to pass along the message.

May 25, 2016 — The last DNC WL email and end of high bell shape volume distribution since 4-19.

June 10, 2016 — Crowdstrike shuts down the DNC network and rebirths from scratch to expel Bears.

June 12, 2016 — Julian Assange tells interviewer that WL is going to release trove of more Clinton emails from her days as US secretary of state. (He does not mention DNC.)

June 14, 2016 — The DNC and Crowdstrike jointly announce they have been hacked by the Russians. Alperovitch says that the FSB’s Cozy Bear had been in the network since the prior summer and that the GRU’s Fancy Bear accessed the system only just before he arrived and only obtained opposition research files, which would likely have become public at some point anyway.

The next Day, June 15, 2016 — Guccifer 2.0 releases the DNC’s Trump dossier, claiming to be the hacker but not Russian, Romanian. Alperovitch comments that he stands behind his Russian attribution.

Why hasn’t Guccifer 2.0 been squarely linked to Fancy Bear just as Alperovitch set up? If everyone missed this Alperovitch certainly didn’t. Why didn’t he make the connection clear to others?

Ron, nice summary. Two points- John Podesta did not fall for the phishing attack. He caught it but the IT staff told him it was legit(now claiming it was a typo). Also, I think a key detail that Steve has identified should be getting more attention, April 19 is also when Hillary’s e-mails first appear in the Wikileaks.

Thanks, Ron. That timeline info indicates that the FBI had concluded in Sept. 2015 that the DNC was being hacked by Russians and the hacking was still going on in Nov. 2015. This is well before Crowdstrike came into the picture. If this is true, I am going to believe it was most likely the Russians. DNC should be prosecuted for being unbelievably incompetent. Somebody tell Hillary. Another excuse for her ignoble loss.

March 19, 2016 – John Podesta _claims_ a phishing attack for this date.

We cannot verify this claim. Possibly the emails were exfiltrated by other methods, which methods the DNC is motivated to hide. Wikileaks claims that the emails were obtained by an insider who had legal access. If Wikileaks is truthful, then Podesta is not.

Also, I believe that the Podesta emails are all dated prior to March 19. This fact does not square with the phishing claim, as I understand.

April 19, 2016, the date of the successful breach is also the date DCleaks.com domain is registered. This seems to link WL to DC leaks. Does anyone know if there was overlap between DC leaks and WL?

Is there any indication from the forensics or circumstances that the Podesta WL is not connected to the DNC WL? If they are connected then it looks like they both would have been a hack, contrary to Assange’s claim of a leak.

Also, the Podesta breach coincides with a massive phishing effort in which about 20 out of a 100 DNC staffers click on malware links in email, providing another indication it was outsiders attacking.

Steve, how did the hacker continue with Podesta infiltration after the password change? What stopped the Podesta attack?

one of the early articles on DNC hack said that large-scale phishing attack had far more attacks on hillaryclinton.com than on dnc.org, including clicks. Nothing ever leaked from hillaryclinton.com. Seems odd

Yet is also makes little sense that Podesta has never seen a phishing attempt or has ever been warned, along with a score of other campaign officials, never to click on unknown email links or attachements and Never never change a password by clicking on a supplied link. Even the bonehead tech that wrote Podesta it is a “legitimate” email, (meaning illegitimate,) wrote instructions to copy and past the link he was providing. But instead, Podesta must have clicked on the fake link.

Mpainter, if they wanted to make up a phishing claim, I don’t think they would concoct a story that makes them look so incompetent. Old guy Podesta falling for a trick, sure. But Podesta catches it, sends it to IT, and they tell him it’s legit and change his password(which was p@ssw0rd)?

MikeN, it is important to note there is no evidence his password actually was “p@ssword” in any meaningful sense for his Windows account. An e-mail was sent to him where he was told that was the password on a computer which had just been set up for him. That is, it was the default password assigned to his account. He could have changed it as soon as he logged in.

There is no evidence Podesta ever used “p@ssword” as a functional password. All we know is it was the password assigned to his Windows account before he ever logged into it. We have no way to know whether he left such a terrible password on the account or if he changed it to something more secure.

Did anyone find that Warren Flood was the author of the DNC anti-Trump dossier? Is this real or G2? The date in the document meta-data is December 19, 2015. This is the first that I have seen that Warren Flood was actually a DNC hired op.

A 200+ page document that appears to be a Democratic anti-Trump playbook compiled by the Democratic National Committee has leaked online following this week’s report that the DNC was breached by Russian hackers. In it, Trump is pilloried as a “bad businessman” and “misogynist in chief.”

The document—which according to embedded metadata was created by a Democratic strategist named Warren Flood—was created on December 19th, 2015, and forwarded to us by an individual calling himself “Guccifer 2.0

Also this June 15 Gawker article shows G2 as the first to broadcast that the DNC docs are in WL hands. One has to admit that G2 has strong connections with WL then as he does with DCleaks, controlling the administrative interface tools to provide credentials to selected media to login for exclusive access to particular docs.

IMO Warren Flood stuff is total red herring. My interpretation is that G2 picked up an old Warren Flood document to modify template; changed default language to Russian, then successively cut-and-paste three other unrelated documents into the Russified “Warren Flood” template, one of which was the Trump oppo research.

Assange, instead of announcing the DNC leak says he has HRC emails from her SoS era private server. This makes sense if Assange believes he must give the DNC leaker some cover until the release date. If G2 is the WL source he presented himself to Assange as a leaker, not a hacker. Yet he turns around the next day and reveals he is a crazy, malicious hacker and reveals WL has DNC docs. Yet G2 never is able to provide evidence by documentation that he is the source of the WL. Anybody else find this odd?

In Dec 2016 Julian Assange came on Hannity’s radio show to make it clear that G2 was not his source, breaking from his longstanding policy on not making any comment toward source identities. Assange elaborated:

Now, who is behind these, we don’t know,” he said. “These look very much like they’re from the Russians. But in some ways, they look very amateur, and almost look too much like the Russians.”
In the Hannity interview, Assange also claimed that WikiLeaks received three pages of information about Trump and the Republican National Convention. It chose not to reprint those documents because they had already been printed elsewhere.

So Assange is denies also receiving the Flood 200-page Trump opposition strategy paper.

Steve, I’ve seen experts say that the Warren Flood documents were created on July 5 but I realize now from the Forensicator article that one can reset the creation date by using the Linux type copy command. So the only thing this proves is that G2 was very conscious of his meta-data trail, except perhaps the effect on the time zone of the Linux copy versus MS products.

Steve, you commented: “as I mentioned on another occasion, in October, G2 posted up a screenshot of a DNC email from right period that wasn’t in Wikileaks archive.”

If G2’s purpose was to bolster his standing as the WL source then choosing to publish a document he neglected to give them would be an odd choice, unless it was damaging and he said he forgot to include it to WL. Am I missing your point?

On the Podesta documents, I notice that G2 has more overlap there as he supplied many of the email attachments from the WL Podesta file days before WL published them. I also notice that Assange never claims that the DNC and Podesta files are from the same source. Although I realize Assange does not talk about sources, he made the exception to disclaim G2 from being the DNC source but remained mum on the Podesta file.

I’ve seen experts say that the Warren Flood documents were created on July 5 but I realize now from the Forensicator article that one can reset the creation date by using the Linux type copy command. So the only thing this proves is that G2 was very conscious of his meta-data trail, except perhaps the effect on the time zone of the Linux copy versus MS products.

you’re mixing several things together here incorrectly.

1) you have to distinguish between file metadata and internal document metadata. I don’t think that the document creation date is necessarily reset with a Unix copy operation, only the document modification date.
2) the Warren Flood documents occurred on June 15 (At the blog), not July 5 (a date arising in ngpvan.7z).

From security firm assessments of the DNC/Podesta attacks it seems DNC was initially ill-prepared for cyber-attack. There were over 200 exfiltrations via MS OneDrive as well as other means. We know that training and precautions were lax and that and that there was ongoing compromise for 9-12 months. The possibility seems plausible that the DNC decided to try to make lemonade out of the lemons. After all, they found out that they were breached by multiple groups. And although APT28 and APT29 were likely created by the Russians they were open source tools that could be used by any sophisticated actor. I am going to quote from career intelligence expert Scott Ritter, who is a member of VIPS. He did not sign onto the the recent Forensicator analysis but he also does not buy the “Russia Russia”.

The notion that the Russians would use special tools to hack a journalist’s email account and open-source tools to hack either the DNC or the German Parliament is laughable. My experience with Soviet/Russian intelligence, which is considerable, has impressed me with the professionalism and dedication to operational security that were involved. The APT 28/Fancy Bear cyber-penetration of the DNC and the Guccifer 2.0 operation as a whole are the antithesis of professional.

Perhaps more important, however, is the fact that no one has linked the theft of the DNC documents to Guccifer 2.0. We do not know either the date or mechanism of penetration. We do not have a list of the documents accessed and exfiltrated from the DNC by APT 28, or any evidence that these documents ended up in Guccifer 2.0’s possession. It is widely assumed that the DNC penetration was perpetrated through a “spear-phishing” attack, in which a document is created that simulates a genuine communication in an effort to prompt a response by the receiver, usually by clicking a specified field, which facilitates the insertion of malware. Evidence of the Google-based documents believed to have been the culprits behind the penetration of the Democratic Congressional Campaign Committee (DCCC) and John Podesta’s email servers have been identified, along with the dates of malware infection. No such information has been provided about the DNC penetration.

Here is one possible scenario that fits the evidence:

FSB Hacks DNC with Cozy Bear and is quietly consuming information for internal use for routine espionage from summer 2015 to CrowdStrike (CS) intervention. They never leak.

Seth Rich hacks DNC internally on May 25 after presumably the IT staff alerted everyone of recent attacks by giving anti-malware safety talk. Rich is a big Bernie Sanders supporter and perhaps has seen firsthand the internal favoritism to Clinton. He thus used the opportunity of the outside breach to provide cover for an inside breach that he can leak to WL, which he manages some time in early June.

Now stepping back to the Podesta gmail spear phishing breach on March 19, we can presume that Podesta and IT staff realize they have been breached. They do not call in security firm because all they needed to do was have everyone change gmail passwords. But the information is out and the Clinton campaign needs to build a defense plan for a possible hacked doc dump. They come up with the G2 playbook, especially since Trump is going around claiming Putin is calling him a genius and such. They register DCleaks.com on April 19 to use as their own fake WL.

Two months later, Clinton campaign is thinking they dodged a bullet when WL make the bombshell press announcement on June 12 that Hillary emails will be coming out. By this time Clinton has clinched the nomination and thus coordinates with DNC heads and CrowdStrike (CS) to put G2 plan into action. Fancy Bear attack is simulated on the server and the press is told on June 14-15 that FB only got Trump opposition research document. The DNC server is held by CS who supplies all the analysis and data for the IC and other security firms to concur.

G2 does his thing and the breaches get accepted as Russian. the Anti-Russian Ukranians, seeing this, and not caring as much about HRC and hurting Russia relations, supply the Podesta emials to WL. Assange is either duped or holds his nose to accept the valuable offering.

Seth Rich is distraught and conflicted about accepting job offer from Hillary and goes out drinking and chatting on phone into the early a.m. of July 10, where he runs into muggers and gets shot while foolishly fighting them. Two weeks later Assange name Rich as example of dangers his sources face and offers $20K reward for information leading to a conviction in Rich’s murder.

Brandon: “Ron Graf, that is simply not true. APTs are identified threats, usually groups, not just MOs. You cannot copy an APT. You cannot copy methods and techniques used by an APT, but that does not mean you are using the APT.”

Here is a definition from Techtarget.com:

An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization.

So the type of APT I believe are classified by associating past recognized MOs with particular APTs. Attribution of these specific APT types is another matter. But do you have any particular point regarding the logic or facts in my proposed scenario?

I commented that I had just learned in a Gawker article of June 15, 2015 that G2’s debut on June 15, 2016 was with the leak of the DNC Trump opposition research 237-page document dated December 19, 2015, authored by Warren Flood. Realizing that Warren Flood was the meta-data original author of the G2 MS Office templates created on June 15 I was wondering if there was any doubt that Flood was the author of the Trump-oppo research document. I just found that Lauren Dillon, another DNC staff member was the author, not Flood.

Steve commented: “IMO Warren Flood stuff is total red herring. My interpretation is that G2 picked up an old Warren Flood document to modify template[I presume the Trump oppo document]; changed default language to Russian, then successively cut-and-paste three other unrelated documents into the Russified “Warren Flood” template, one of which was the Trump oppo research.”

I concurred that the template date was likely updated by G2 from copying. But I mistakenly referenced the Forensicator, who analyzed the July 5 dated NGPVan.7z. I confused it with Adam Carter’s analysis of G2’s Warren Flood documents dated June 15 here.

The first document, “1.doc” (mirror), was given considerable coverage, while the name “Warren Flood” was reported, the date in the report (rather than in the metadata) was reported and so it was attributed to Warren Flood on 12/19/15.

Gawker incorrectly claimed the metadata showed the document was created in 2015 when it actually indicated the document was created by Warren Flood at a much later date.

The truth is that the metadata shows the document being created 30 minutes before Guccifer2.0 appears to have gotten his hands on it.

Steve commented: “I don’t think that the document creation date is necessarily reset with a Unix copy operation, only the document modification date.”

Steve, if you are saying the MS metadata creation date cannot be changed by Unix copy or other means, which I see is Adam Carter’s assertion, that would imply that G2 had use Warren Flood’s computer or install Windows on an a computer using Warren Flood as the user name, install MS Office, create a fresh Word template, copy and paste the 237-page body of the 12/19/15 document, all to have Warren Flood’s name as the original author, instead of DNC staffer Lauren Dillon.

Steve, are you saying that G2 researched and found Warren Flood would make an ideal suspect, being a self employed whiz kid for Dem campaign IT? G2 wanting to create a false flag of being a DNC inside job with a false flag of a Romanian hacker as a false flag for a Fancy Bear is a little steep. Or, what am I missing?

Steve, I don’t think you understood Adam Carter’s point. The Warren Flood documents were not only modified on June 15, they were created on June 15. This makes it impossible to be random. Carter asserts the only way to set the creation date June 15 and original author Warren Flood in the metadata is to have the computer be Flood’s or, as I offered, to install the operating system using Flood’s name as user.

Also, when you say random, from where do you speculate Warren Flood’s name came? He is not in any of the DNC or Podesta files or in any documents for G2 except inadvertently in the metadata of the first three G2 leaks.

Could I just ask, given Russia’s record, why is is so doubtful that they perpetrated the DNC hack. Two Russian agents and a Kazakh-Canadian man have been indicted for hacking Russian and US businesses and officials in the Yahoo email hack. The Canadian man has been arrested and is in custody. He is additionally accused of using the Yahoo hack for his own private benefit outside of the work for the Russian government.

The Russian government hacked an Email provider. Why could they not have hacked the DNC servers.

TAG, personally, I don’t think there should be any doubt Russia would want to break into the DNC’s servers. The only questions are, Did they succeed, and if so, are they the ones who released this material?

When I read these finely detailed analyses, my memory goes back to the George W. Bush National Guard fitness report controversy. I read detail after detail that typewriters were available at that time that could create documents that resembled those from modern word processors. Each typewriter had some feature required but not all.These would have been highly expensive and uncommon. I brought up the point on one mailing list that the secretary from the base was alive and had been quoted in newspaper reports about the fitness report issue. if such a fancy typewriter was at the base and being used to create documents that would only be filed away, the base secretaries would know of its existence. I suggested just asking her. My contribution was not published to the list.

the George W Bush typewriter controversy was, in an important way, one of the first examples of social media influence. The actual document was shown on the internet, making it available to someone who actually knew about typewriter and wordprocessor fonts – things that were not known by national television reporters.

Many of my criticisms of Mann, Briffa and other climate scientists are of this type: they didn’t investigate the details of their proxies. Otherwise, they wouldn’t use them upside down etc

It didn’t matter what the media knew about typewriters. They had no interest in verifying. The sudden appearance of the documents after they said they needed something more for a story was evidence enough for a normal reporter to be suspicious, plus they were dealing with copies not originals. It was too good to check. Now that they do know, they(Rather and Mapes) insist the story is still true.

As I say above, I am sure Russians are trying to hacking the DNC every day of the week and given the apparent attitude of the DNC towards cyber security, I would be amazed if they had not succeeded at some point. The issue is not really whether the Russians were hacking the DNC or even whether they are a possible candidate for the Wikileak source. Although the nature and timing of the e-mails released through Wikileaks suggests a Bernie supporter was the leaker/hacker, I would agree that there is no conclusive evidence on this point.

The issue under discussion here is whether G2 is the Wikileaks source and also a Russian government hacker. In other words, whether there is any basis for the “Russians hacked the election” narrative and the resulting investigations/hysteria. On those points, a cui bono analysis points decisively towards the DNC/Crowdstrike as G2. See this and related threads.

I agree that there are similarities between this situation and the Bush National Guard forgeries. Among other things, some observers (Dan Rather for one) took (and take) the content of the memos as “self-authenticating” proof of their authenticity and then conclude that their authenticity is proof of their content. Thus, even if the memos are fake, their content is accurate because it confirms what we already know about George Bush. Similarly, if we turn the proxies upside down they confirm what we already know about modern temperatures. Since we can use modern records to check the modern portion of the proxy record, its okay to use them upside down in our reconstructions. Used in that way, they prove scientifically that modern temperatures are unprecedented in the proxy record.

I should have said there is no conclusive evidence that the Russians are not the Wikileaks source except that Wikileaks says they are not. This would be conclusive except that Wikileaks doesn’t explain (and likely can’t explain without exposing the source) how they know.

I think this needs development to a logical conclusion:
If the emails were stored on Google servers, then they could not be hacked from the DNC. Therefore, G2’s claim of being the source of the Wikileaks is prima facie false. Hence, he had no emails to release. But in fact he did release emails but it follows he got them by methods other than a hack.

If one is prepared to believe that G2 is a Russian cyber operative tasked with a “deny and deceive” operation, then one accepts the premise that Russian Intelligence is a tribe of clumsy bunglers. Because, G2 bungled at the outset and his superiors simply brazened it out, trying to make a blown operation work.

I believe that the operators of the G2 persona had two objects: one, to show that it was the Russians, and two, that they were also the source of the Wikileaks DNC emails. The claim by Wikileaks undermines this effort (recall, it was not until January this year that Wikileaks spoke out). If the DNC leaker were to come forward, the G2 persona would crash and burn.

Here is CNN’s timeline of Russia hacks. Since the FBI gave the DNC a heads up that their system was compromised by Cozy Bear, aka, Apt29, aka, Dukes, 6 months prior to the DNC calling Crowdstrike to verify the breach I find it compelling that Crowdstrike could not be the source of Cozy Bear. The declassified US intelligence report, published by the NYT, says CB was a project of the FSB, whereas FB was a product of the GRU. I find it hard to believe that these organizations would not be reporting to Putin or their equivalent to a DNI in order to coordinate. As it happened, if the new activity of FB was what sounded the DNC alert to call Crowdstrike it means that one Russian group would have initiated the discovery and expulsion of both (somebody’s up for severe punishment for that). I find it implausible FB and CB were both Russian, especially considering the lax DNC security beforehand.

Does anyone know how much document overlap is there between WL DNC and G2, between WL Podesta and G2, between DCLeaks and G2? Also, how damaging were the DCleaks?

I think the strongest connection of G2 with WL by the US IC is simply the implausibility that a hacker not having inside knowledge of the DNC breach before the WL announcement could have mapped out a plan of action in two days. I think CrowdStrike is simply beyond suspicion. One could imagine that every top cyber security company is capable to installing a CB or FB or being a G2. But notwithstanding that the US federal government just banned Kapersky from their computers last month, the admission that we rely on Russian and Ukrainian security experts to protect us from Russian and Ukranian breaches is clearly something that would rather not be dealt with (publicly).

If G2 was not WL leaker how does G2 know the real leaker would not expose him/her?

There isnt much overlap.
Some documents released by Guccifer 2.0 had changed metadata since they were apparently re saved. Some of those documents are also in attachments in DNC emails on WikiLeaks.
Iirc WikiLeaks didnt release any documents only DNC emails and later Podesta emails. Some documents were in attachments of those emails.

I was doing some comparison of emails on DCLeaks and WikiLEaks and hadnt found any overlap. But I havrnt documented it. Recheck to be sure.

I post some mistakes in previous post:
There was no overlap between documents Guccifer 2.0 released and attachments of DNC LEaked emails of WikiLEaks.
There was overlap between Guccifer 2.0 files and attachments in WikiLeaks Podesta emails.

“What I’ve done is cross reference these leaks, which Guccifer 2 himself/herself said were from the DNC, with Wikileaks’ DNC email publication. My research shows that none of these Guccifer 2 DNC documents are in Wikileaks’ DNC documents. That’s not to say they didn’t show up at all in Wikileaks. They did. They showed up in Wikileaks’ Podesta emails, not the DNC emails. At least almost half of them did. The other half I was not able to locate at all in Wikileaks. Please feel free to cross reference this list yourself with Wikileaks (sometimes you have to be creative in your search or use the attachment or filename search) because I’m only human here, folks. Furthermore, I believe that debunking information only gets us closer to the truth.”
-jimmysllama

Lurker, I am assuming that the Podesta WL was after the G2 release of the docs that overlapped, or if they were released after that they had more original meta-data than the WL version. One should keep in mind that a DNC insider might not have a clue about which DNC documents might get released but a Clinton insider could more easily determine what was the Podesta set would include. Clearly, the best Podesta material was in WL and not G2.

I find it hard to believe that these organizations would not be reporting to Putin or their equivalent to a DNI in order to coordinate.

Why? The United States has equally bad coordination on any number of projects, even now, with 15 years of people calling for it to be fixed as a response to the terrorist attacks of September 11th, 2001. Do you really think Russia must have been coordination than the United States does? The country is a kleptocracy with constant in-fighting and back-biting as people jockey for power.

Not that this is just a matter of incredulity. Russian intelligence/military has created separate groups to work independently of one another in things which overlap many times.

Cyber attack groups have standing orders regarding what they can/cannot do and who they should/should not target. There’s no reason to have them get permission for each attack against each target. It wouldn’t even be feasible When they target hundreds of networks.

I imagine the groups would report to higher ups about successes/material they’ve gained access to, but that doesn’t mean those higher ups would then pass that information to other groups. That doesn’t mean the information would get passed along to other groups though. Unless the information gets passed quite a ways up the chain, the people who get the reports might not even have any oversight of the other group.

I don’t even know what the upside of the coordination you describe would be.

More serious intelligence burglaries than this have been claimed loudly. I think the intercepted Jan/Feb 2014 Nuland / Pyatt phone call on US interference in the 2014 Election in the Ukraine is a very apt example as it is my current opinion that much of this Russia hacking fact and fiction / spy vs spy goes back to these events.

Avoiding links…
“The recording “was first noted and tweeted out by the Russian government. I think it says something about Russia’s role,” White House press secretary Jay Carney told reporters.”

From Rueters:
“The leaked conversation appeared certain to embarrass the United States and seemed designed to bolster charges – from Russia, among others – that the Ukrainian opposition is being manipulated by Washington, which President Barack Obama’s administration strenuously disputes.”

There is most definitely Ukraine & Clintons vs Russia, US Conservatives and Business Interests mess to untangle here. Strange bedfellows.

back to the subject of intelligence gathering and acts of war… during the cold war it was assumed that state actors were everywhere collecting everything they could. it is no different today.

Today the world is much more complex in that technically sophisticated and much less rational non-state actors can also cause havoc. As many have pointed out these must be considered here. Finally, I also have no idea who is behind any of this but it is a mistake to assume that state actors require some concrete objective. The sowing of FUD in the election process and results and gumming up the government with byzantine suspicions and there investigations is reward enough.

Finally, I also have no idea who is behind any of this but it is a mistake to assume that state actors require some concrete objective. The sowing of FUD in the election process and results and gumming up the government with byzantine suspicions and there investigations is reward enough.

Yup. This is why I wish people would at least try to be more rigorous in their analyses. Too much of what people publish winds up being shoddy work, and that is exactly the sort of thing the “bad guys” want. If the situation is such people can’t even agree on basic facts, the truth ceases to matter. Every narrative becomes equally valid – as long as it caters to someone’s preconceived perceptions.

“Every narrative becomes equally valid – as long as it caters to someone’s preconceived perceptions.”

Do you agree with my analysis that the Russian clown makeup gave the quick confirmation of the Russian pre-conceived perception for the left? If that was true then the use of the Russian associated VPN service would be giving confirmation to the those looking for a more technical confirmation. All the while the invalidity of those pieces of evidence would work to raise skepticism by Trump supporters, causing a deep division of domestic dispute and weakening the US.

As I commented earlier, this would be a perfect Russian operation but for the fact that Russia takes the blame for it. Do you think they wouldn’t mind taking the blame among at least half of the US? My objections of G2 being able to plan out and commit to his/her operation in just two days vanishes if the overall mission was for Russia to take the fall for the hack with the use of false flags to itself so it could maintain deniability. Certainly Russia does not care significantly who is in power in the US as much as it cares about weakening the US.

By the way, if anyone feels exonerated by my analysis they are just bending it to “preconceived perceptions,” because everyone loses, probably even Russia.

Ron Graf, I think that is a reasonably accurate description of what happened, but I don’t think it’s something which could have been predicted. Even if it could have, what you describe doesn’t seem to fit Guccifer 2.0’s behavior in regard to who he reached out to. For instance, if that was the goal, why reach out to state/local reporters?

I can’t rule a possibility like you describe out, but I don’t see any particular reason to believe it is what happened. There is simply too little information for me to draw much in the way of conclusions. I mean, we don’t even know where some of the released documents came from.

Brandon, operations with political objectives, programmed based on predictable psychological responses, is what covert operations divisions do. I admit that it is not easy work but they are given state resources, and in countries like China, Russia and NK such groups command the top of the food chain. This does not mean that every event effecting the gameboard is planned, but when all other better explanations fail once should not shy from considering it.

Ron Graf, I think if you examine actual intelligence operations, you will find they fall far short of the goals you lay out. Operations involving the risks and complexity of the false-false-flag operation you describe may happen on occasion, but they are not commonplace. I doubt you could find many, if any, examples of them being carried out in the past.

As for theories, I don’t care to put much effort into explaining things when I have little to no information. As it stands, the theory which seems to track best as far as I can tell is the one I mentioned being suggested to me by a friend. Namely, APT-28 and APT-29 broke into the DNC network with APT-29 gaining greater access. APT-28 disseminated material from the network to Wikileaks while APT-29, partially in competition with APT-28, created the Guccifer 2.0 persona. The primary difference between this scenario and the one you describe is the disparate approaches were not planned out in advance or with any great amount of coordination.

But even as I say that, I can pose a number of questions for that narrative which I cannot offer answers for. The same is true of any scenario I’ve seen. I don’t think there is enough information to reach any real conclusions. It could well be “mysteries” in some of the narratives posed thus far would be resolved if we had more information than we do now.

Obviously, I was not talking about domestic leaking from a western IC to its own press. And, I also was not talking about reporter’s known sources supplied with condition of anonymity. In that case the reporter becomes the source and their organization’s credibility must stand behind the authenticity and validity of the source. In the WL case the reporter is Assange and he says his source was not a state actor but otherwise non-attributed. It raises a good question though; how can we trust the media not to be reporting foreign state’s supplied mis-information under the flag of domestically supplied mis-information?

Your theory of multiple Russian IC groups working against each other requires more than a lack of coordination. The GRU must actively be thwarting the FSB for your theory to work. I see that kind of thing in the movies, I haven’t seen evidence of it happening in real life.

Nothing about that proposed explanation requires the groups work against one another. In fact, they would be working together in all broad senses. The only conflict it suggests between the two groups is a competitive rivalry.

All the explanation posits is both groups wound up infiltrating the same network, and when they got booted from the network, they wanted to go public. The group that was more successful with its infiltration went public by simply releasing material it obtained. The other group, recognizing it couldn’t compete in terms of material to release, when with a public deception designed to muddle and confuse matters. Both approaches ultimately serve the same goals of disruption and creating mistrust. Neither approach harms the other.

Brandon, that fruits of foreign state espionage are anonymously leaked to the world is almost unheard of. If Russia or another state were behind the DNC/Podesta WL, (despite Assange’s claims,) then it might well be a first. But for argument let’s say that’s what happened. Then you are saying that the same foreign state allowed once of its agencies to undermine the credibility of that leak while risk exposing the state. And, if it was Russia they allowed G2 to fly the flag of Russia, even if it was a forgery. If this is your scenario what was their intention?

“that fruits of foreign state espionage are anonymously leaked to the world is almost unheard of.”

In fact such leaking is very common, even standard operating procedure. Maybe many leaks are not attributed to state intelligence sources but much of the news we read every day comes from intelligence service or ‘foreign state espionage’ leaks. Think even how often have you seen something attributed to “anonymous intelligence service sources”.

The United States, Russia, and Israel in particular are notorious for using this method to manipulate public opinion at home and abroad.

The Wikileaks release and the G2 release are at cross purposes. The Wikileaks release was obviously intended to hurt Clinton by demonstrating that the DNC and various journalists colluded with Clinton against Sanders. The G2 release was obviously intended discredit the Wikileaks release by suggesting it was the work of the GRU. Without G2 and his Russian whiskers there is no basis at all for the “Russian election hacking” narrative. There would have been no FBI investigation, no surveillance of Trump associates, no leaks of information obtained during the surveillance of Trump associates, no Independent Counsel investigation, no four Congressional investigations of Russian election hacking, no sanctions against Russia for election hacking, no anti-Russian hysteria of any kind.

Assuming, for the sake of argument, that two groups of Russian operatives separately obtained the same set of documents from the DNC (something which, taken in isolation, can neither be proven or disproven) and further assuming that the two groups released those documents to the public, via Wikileaks in one case and via G2 in the other, the only possible conclusion is that both groups of Russians are insane and, if their activities were coordinated in some way, the coordinators are also insane. This seems unlikely to me.

I am open to the suggestion that the Russians actually favored Hillary (there actually is some evidence for that possibility) but, if so, why provide the initial set of damaging emails to Wikileaks? I am open to the suggestion that the Russians favored Trump but, if so, why discredit the Wikileaks release by suggesting that Russian spies were trying to swing the election to him? No matter which candidate the Russians favored, however, I cannot believe that Russian intelligence operatives actually tried to make themselves appear to be the villains in an “election hacking” scenario. Russia is now subject to sanctions for election hacking which Trump did not dare to veto. Now and for the foreseeable future, Trump is unable to make any deals with Russia to roll back the original post-Crimea sanctions, or the new election hacking sanctions, or make a deal on the Syrian disaster or on Ukraine or on the recent “open skies” dispute without leaving himself open to suggestion that the deal was payback for Russian election hacking. The idea that the FSB and GRU were working against each other is fanciful. The idea that this is all part of a coordinated Russian master plan is ludicrous.

The original Wikileaks source(s) were pro-Bernie hackers or leakers. G2 was created by Crowdstrike and the DNC to: (1) discredit the original Wikileaks sources; (2) create an excuse for renewed and expanded FBI surveillance of Trump associates; and (3) to create a “Russian election hacking” narrative. The Russians themselves had nothing to do with any of it.

bmcburney
I understand now that there were Federal investigations running long before this DNC breach against for example Manafort’s and Flynn’s advisory efforts in Ukraine/ Russia. Funnily also the Podesta brothers were involved.
So both HRC and Trump hired marked presidential campaign managers without realizing.

On the other hand, who knows which politically relevant US citizens are not under the secret microscope with those thousands of FISA rubber stamps?

I am aware of an FBI investigation of Manafort in 2014 prior to these events. However, that investigation was closed without charges when the original warrant expired. The renewed FBI investigation, and FISA warrant of 2016, were clearly based on suspicions raised by the “election hacking” narrative supplied by G2.

As far as I know, there was no Flynn investigation prior to 2016. That investigation was evidently triggered by Flynn’s contact with Ambassador Kislyak.

somebody from the Obama admin – Rice, Power ? – unmasked Flynn, who was then leaked to press. Nothing wrong with Flynn being in contact with Kislyak, but Flynn lied to Pence about discussion, so Trump fired him. Comey also lied to Trump, so Trump fired him.

“How did anybody besides Flynn and Kislyak knew about their conversation?”

All of Kislyak’s communications with everyone are monitored by US intelligence to the extent they are able to do so. Presumably, this is something both Flynn and Kislyak knew (but forgot?) at that the time of their conversation.

This paints a very dim picture of the “intelligence community”. From an “abundance of caution” they included the totally unverified Steele dossier in their assessment. An important function of intelligence agencies is to separate disinformation from information. They failed miserably. Intelligence? Dimwits.

What we are witnessing is the politicization of U.S. intelligence that started under Bush and proceeded under O’bumma. I feel sure that there are many dedicated professionals who deplore this. I am not ready to write off as incompetent the whole U.S.IC, but only as partly corrupt.

Good rule of thumb: if IC releases have political impact, a skeptical reception is in order.

I’ve been mulling over the idea of a connection between the end of the Cold War ~1989-90 and the amazing amount of bombing and regime change wars involving the US from 1992 on, beginning back to Gulf War, Bosnia, Kosovo, bombing of Iraq under Clinton, Iraq, Libya, Syria, Sudan, Yemen… When did US start amassing military bases in Saudi and the Middle East?

Before the end of the Cold War, the US seems to have mostly left interference in the Middle East to UK and France.

Did the end of the Cold War remove a previous restraint on the US military, which, now unthreatened by Russia, was free to expand into the Middle East to “protect” against some supposed threat, while actually creating resentments that grew into the previously non-existent threats?

Why didnt the end of the Cold War result in reduced military spending rather than increased military spending?

Also since the end of the Cold War, the entire US economy has been reorganized with the abandonment of large swathes of industrial sector to Chinese imports, accompanied by huge government deficits funded largely by China. Meanwhile, Russia is fiscally solvent, with negligible government deficits or foreign debt.

There was ethnic cleansing and mass murder occurring in Bosnia and Kosovo. It wasn’t just the US responding to that. It was NATO with UK, French, Canadian .. forces responding. The Dutch UN forces abandoned thousands of men and boys in Srebrenica who were later found in mass graves. In Libya, it was France taking the lead with the traditional interest in North Africa. Obama wanted to keep teh US out until Gaddafi prepared an assault on Benghazi that would have led to mass murder.

Just to add a personal note. A colleague of mine visited factories in China around 2001. He was amazed at the amount of automation in the factories he visited. He has stories about large factories full of robots and empty of people. The manufacturing success of China is not due solely to cheap labor and currency manipulation ala Trump

TAG, critical thinking is the key. On any question you can find published in the media contrary points of view. Such as your referred “automation is the reason for decline of U.S. manufacturing”. Go into Wal-Mart and try to find a product that is not made in China. Then reflect on how much of the typical automobile is made elsewhere and then shipped to the U.S. for assembly. Continue this method of thought for about a minute. It will help your understanding and you will avoid the pitfalls of propagating special interest, ah, “inspirations”.

From MIT – mid skill jobs such as those in manufacturing are particularly susceptible to automation. Other sources indicate that this has become especially true since the deep learning revolution started in 2010 with improvements in computer vision allowing robots to be better able to understand scenes

Boston Consulting Group reports that it costs barely $8 an hour to use a robot for spot welding in the auto industry, compared to $25 for a worker—and the gap is only going to widen. More generally, the “job intensity” of America’s manufacturing industries—and especially its best-paying advanced ones—is only going to decline. In 1980 it took 25 jobs to generate $1 million in manufacturing output in the U.S. Today it takes five jobs.

Mid skill: Many of these jobs deal with the kinds of routine tasks that can be well described by a set of rules and have thus been prime candidates for automation. Many blue collar jobs, such as manufacturing and other forms of production, fall into this category. So do white-collar, information-based activities like accounting, record keeping, and different kinds of administrative tasks. Mid-skill jobs have been steadily declining, especially since 2000.

Another example is the furniture industry. After 2000 the U.S. furniture factories were packed up and shipped to China. North Carolina was the source of over half of the fine furniture manufactured in the U.S. The fine Appalachian hardwood lumber that provided the raw material for this fine furniture is all shipped overseas these days. The lumber is returned as furniture.

Did the end of the Cold War remove a previous restraint on the US military, which, now unthreatened by Russia, was free to expand into the Middle East to “protect” against some supposed threat, while actually creating resentments that grew into the previously non-existent threats?

No. The U.S. military didn’t invite Saddam Hussein to invade Kuwait, his potential threat against Saudi Arabia and other states in the region was real rather than “supposed,” Iran was not serving as a counterweight against his ambitions, and no one in the U.S. military relished, or in my experience ever relishes, the idea of going to the Middle East. (If we want a sparsely populated oilstate of our own, we’ve got Alaska.)

Also, while bin Laden’s fatwas do partly castigate the U.S. for its “occupation” (i.e., defense) of Saudi territory, and its supposed role in the massacres in Bosnia, they also attack the U.S. for its alliance with Israel, which covers the last half of the Cold War. So there was plenty of resentment there already.

It would be nice if great conflicts could end with a final peace, but instead they end with realignments and new conflicts…the Soviets don’t have to fight the Germans anymore, so they can concentrate on their rivalry with the West; the jihadists don’t have to fight the Soviets anymore (I remember when “mujahedin” was a term of accolade in the U.S.), so can concentrate on more distant infidels.

Why didnt the end of the Cold War result in reduced military spending rather than increased military spending?

It did, at first. See the chart. It went from $409 billion in 1990 down to below $300 billion in 1999 (A big rhetorical point in the Clinton years was how to spend the “peace dividend.”) But it skyrocketed after 9/11.

Posted Sep 25, 2017 at 3:16 PM | Permalink
Just to add a personal note. A colleague of mine visited factories in China around 2001. He was amazed at the amount of automation in the factories he visited. He has stories about large factories full of robots and empty of people. The manufacturing success of China is not due solely to cheap labor and currency manipulation ala Trump.

###

TAG, now you need to explain how automation added 100 million manufacturing jobs to the Chinese economy while in the U.S. automation subtracted 5 million jobs.

Imagine no US reaction to Saddam’s invasion of Kuwait in 1990; next he takes KSA. No more Wahhabi poison spreading around the world: secularism growing in the ME, be it under force – the horror. No more dancing to Saudi Elite’s fiddles by the US and UK. Saddam could have been strong enough to keep the Russians or Chinese out too…
Yugoslavia with less external forces splitting in 1991 – less violence. No self-embarrassment for NATO inside of Europe. No Pakistan – North Korea barter of N-bomb technology for long range missile technology or centrifuge tech. to Iran.
Quite an opportunity missed for “a few dollars more”.

Under your scheme rape and plunder get the green light because it makes a better world. Well, let’s all get busy and help ourselves to our weaker neighbors. Let us not dawdle lest another pirate snatch the boodle from us.

naction in Libya would have led to mass slaughter of civilians is just assumed true at this point.

The action in Libya was led by France and the UK. The US under Obama had little to do with the decision to intervene except to oppose it. US foreign policy is influential but not decisive. Under Trump, as Angela Merkel noted, it is becoming irrelevant except where Trump’s blunderings (North Korea) has made things much worse than they should be.

Merkel has just been upended and her party might not be able to form a coalition. Germany has taken a right turn. Big change and it is attributed to the “Trump factor”.
Merkel quotes on Trump are good for revealing her misjudgment.

There was a substantial reduction in military spending immediately following the end of the cold war. So much so that the US actually achieved a small budget surplus in the mid-1990s. The increase in Defense spending which took place after 9/11 was from a lower base.

The main drivers of US military involvement in the greater Middle East during the post-cold war period were that Saddam invaded Kuwait and 9/11 happened. The break up of Yugoslavia and the collapse of the Somali government resulted in fairly minor US military activity. Libya and Syria even less.

TAG:”Trump’s blunderings (North Korea) has made things much worse than they should be.” That is some real foolishness. Can you explain how Trump is even remotely responsible for the N Korean thugocracy possessing and promising to use nuclear weapons and ICBMs? Could it be that you wanted Trump to be nicer to those monsters? His predecessors played that foolish game.

Steve wrote: “I’ve been mulling over the idea of a connection between the end of the Cold War ~1989-90 and the amazing amount of bombing and regime change wars involving the US from 1992 on, beginning back to Gulf War, Bosnia, Kosovo, bombing of Iraq under Clinton, Iraq, Libya, Syria, Sudan, Yemen… When did US start amassing military bases in Saudi and the Middle East? Before the end of the Cold War, the US seems to have mostly left interference in the Middle East to UK and France.”

France and the UK probably ceded primary leadership in the Middle East after being opposed by the US during their attempt (with Israel) to regain control of the Suez Canal from the Egyptians in 1956. In 1956, Nasser was playing the Americans off vs the Soviets, but by the 1967 Arab-Israel war, Nasser was firmly in the Soviet camp and that war put the US squarely in the Israel camp.

The 1970’s brought the Arab oil embargoes and the recognition that the West (especially Europe) was extremely vulnerable to the potential loss of Middle Eastern oil to a Soviet land attack through Iran (then our ally). That was when the US set up “Central Command” (to supplement Pacific Command and NATO) to run all military actions in the Middle East (from Lebanon to Afghanistan). That was when the US set up bases in the Gulf States. CentCom ran brief operations in Lebanon and they protected “neutral shipping” in the Persian Gulf during the Iran-Iraq was in the 1980’s. However, the US didn’t have the resources to take on the Russians in both Europe and Iran, making CentCom a backwater until Saddam invaded Kuwait, just as the Cold War ended.

Immediately before the Clinton administration began new adventures in the Balkans, Somalia, and Haiti; the Reagan and Bush administration had been involved in Afghanistan, Lebanon, Grenada, Nicaragua, Angola and finally the Gulf War. So US involvement overseas GRADUALLY shifted to mostly anti-Soviet to a diverse set of engagements in the 1990’s.

Brandon, you’re wrong and Pete is right. Here’s my answer to Pete’s question: the yellow arrow on left shows weak confidence in attribution of APT28 to Russian GRU. I’m trying to remember where I read this connection between Reality Winner disclosure and DNC hack.

I have a testy comment I wrote, but rather than post it, I’ll try being more diplomatic. Steve McIntyre, would you please point to the portion of this report, from which that chart was taken, which discusses or otherwise deals with the intrusion to the DNC network?

Brandon, always a good idea to resist the temptation to be testy. Internet doent help. Back in the day when I was young and had to deal with business disputes from time to time – and one still corresponded by written letters or faxes – I learned that, whenever I had a particularly clever repartee, it was always a good idea to sleep on it overnight and remove it in the morning, especially when I was right. Never did any good to annoy a customer or supplier.

Ordinarily, documents that are classified are not seen by the public. My understanding is that only POTUS may legally authorize public release of a classified document such as this. It is a safe assumption that Obama released this for political effect. That is a political decision. Such an act carriers with it the possibility that this chart was devised with the purpose of public effect.

As I said, the IC has been politically corrupted. Who disagrees? The campaign to pin Trump as “colluding” with Russia did not get underway until he had been elected.
This document made be seen as part of that campaign.

snip
First off, the classification of this document is listed in the document, meaning we can tell what type of official could de-classify. The president is not the only one. I’m not sure there is even a type of document only the president has the authority to de-classify.

As for Obama releasing this document, there is nothing safe about that assumption. In fact, that assumption is insane. The document explicitly states it uses information obtained in April 2017, months after Obama had left office. It would have been impossible for Obama to have even seen this report while he was in office. He certainly couldn’t have released it.

Not only would it have been impossible for Obama to order the release this document, we know exactly who “released” it. I put the word “released” in quotation marks because it was actually leaked a news website by a military contractor named (I kid you not) Reality Winner. Winner is currently awaiting trial after having confessed to leaking this report.

The WaPo has reported that Mike Pompeo has taken direct control off the CIA Counterintelligence Mission Center, in August. This is the division responsible for investigating Russian-Trump “collusion”, according to the article. The article spun it anti Trump ugly and attributed to the head of that division profound mistrust of Trump. Hopefully, Trump will share with the public what he now learns about this division’s investigation.

Brandon, always a good idea to resist the temptation to be testy. Internet doent help. Back in the day when I was young and had to deal with business disputes from time to time – and one still corresponded by written letters or faxes – I learned that, whenever I had a particularly clever repartee, it was always a good idea to sleep on it overnight and remove it in the morning, especially when I was right. Never did any good to annoy a customer or supplier.

That’s nice and all, but would you please answer the question I asked you? I don’t appreciate having someone, especially the host of a site, jump into a discussion to say, “You’re wrong, he’s write” and nothing more. Not only is that rude, but it renders it impossible for any useful discussion to be held.

I have a lot of respect for work you’ve done on issues like paleoclimatology, but to be honest, your writing on “hot topic” issues has been incredibly shoddy. Taking to Twitter to label a story #FakeNews based on nothing more than a self-serving statement which was confirmed to be false within a couple days? Writing a post with a narrative lambasting a company while leaving out crucial information which not only makes the company look far less bad, but likely resolves a mystery you raise in the post? Here, defending MrPete’s posting of a chart with every implication that it was about the DNC hack when in reality it had nothing to do with that?

If not for the respect I have for work you’ve done in the past, I wouldn’t even look at this site with this level of discussion. It’s not like I can even expect errors or inaccuracies (of which there are many more than I’ve pointed out) to get corrected.

I’m not sure of the sense of saying, “EVERY news report I’ve seen has misinterpreted” a chart when you present it in a way that begs people to misinterpret it. Anyone reading your comment would assume the chart which follows was made in reference to the DNC hack since that is the subject of the post you’ve commented on. Your introduction, “Here is some important context,” does nothing to suggest to readers it is about anything but the DNC hack.

However, the chart you’ve posted has nothing to do with the DNC hack. The report it was taken from is about (supposed) Russian attempts to compromise aspects of the United States elector system (computer systems involved, not voting machines themselves). These are two entirely different things. Nobody reading your comment could be expected to realize that.

You might be right in that one attack may provide context for the other, but nobody reading your comment would interpret it that way.

That is not an appropriate reading of the chart. The chart uses a natural layout for diagramming attacks, showing the adversary space, the neutral space and the target space. Those are three categories one could include in a diagram of any attack like this. If you believe an organization or individual was responsible for an attack, his systems would be classified as being in the “adversary space.”

That doesn’t mean you are saying that organization or individual is “the adversary” in some over-arching policy sense. It just means that, in the case of this attack, they are the adversary that was behind it.

Also, the report never once says “the adversary.” It only uses phrase adversary space.” Altering quotes in a way which distorts their meaning is not something we should do.

A followup. I apologize that I didn’t take time to more fully explain in the original… yet I wanted others to reflect on it a bit more before I added any additional thoughts.

1) As I said, I provided the diagram for context. Brandon is correct that it’s not directly about the DNC hack. However, it provides important context for understanding a bit better how these things work — in general. Obviously, it is quite rare for us to see documents like this! [Added in edit: I would expect that a similar document exists for the DNC situation… and from what I’ve seen, the levels of confidence are likely similar.]

2) Something very important to understand, that can be read directly from the diagram if you have eyes to see… there is quite a lot of interpretation involved in this work. As Brandon noted quite rightly, one must be careful not to go beyond that in our own conclusions of what is fact.

3) Something worth considering: sometimes (I have no idea how often), material may be classified NOT because the material is secret… but because our knowledge is minimal and conclusions are much-less-than 100% certain. 60% this, 70% that. VERY easy to misunderstand, VERY easy to draw inappropriate conclusions. And therefore dangerous in the hands of those who are quick to jump to conclusions. Thus, a “national security risk” if the assessment is made public.

Hopefully that helps explain why I shared this in the context of DNC hack discussions. We easily misinterpret evidence based on too many assumptions.

For a fascinating read, including the sleuthing part of the story, on an unrelated yet very revealing series of events that help explain just how much power is in the hands of people around the world in the online realm, I commend the following links:

So it took Krebs almost 4 months (and luck) to find out who was behind that attack, while it took Alperovitch ~ 24 hours for his attribution. One big difference is that the latter saw a huge opportunity for personal (business) PR plus blackening his favourite adversary Russia so in his haste swallowed (or made up?) some ridiculous clues plus some additional amateur false tracks.

MrPete, I have a more substantive response to follow, but I feel it is important to stress what you’re saying. You say you “wanted others to reflect on it a bit more before [you] added any additional thoughts” yet you went out of your way to talk about how the media has supposedly misinterpreted the material . I find it difficult to understand why you would feel criticizing the media merits time and space before allowing people to reflect on the issue while telling people the report is not about what they think it is ab out did not.

That seems unbelievable to me. You didn’t even provide any sort of link so people could possibly have figured out what the report was about. Your actions ensured nobody could possibly tell what the chart you were showing was in reference to meaning everyone would assume it was about the DNC hack. The idea is you apparently didn’t want to distract people by bothering them with little details like, “This report is not about the topic you guys are all discussing, it’s about a different one which nobody here has mentioned but is somewhat related” yet you felt it important to tell them:

EVERY news report I’ve seen has misinterpreted it.

What to ask yourself: how certain is it that the Russians were involved?

While not bothering to add even just these four words “in a different attack.” That is ludicrous. Even Michael Mann would blush at this. If you didn’t know what the report was about when you made your original comment, that would make far more sense given what you wrote. The idea you knew what the report was about but intentionally hid it from everyone would mean you intentionally deceived readers. I don’t believe that’s the case.

Brandon, my point is identical for both the situation where we DO have a leaked assessment document (the one I shared), and the situation where we do NOT have one (the DNC hack):

– The underlying factual situation tends to be far more nuanced than how the media (and most of the rest of us) interpret it.
– In the case of the events for the document I shared, I still have not found a media report that got it right: 100% of the reports I have seen presume that we have a “smoking gun” of factual evidence that nails “the Russians.” No caveats are provided. Now I haven’t continued to search so who knows, maybe there are a thousand such reports now. I’ve not seen them.

As for your accusation that I didn’t provide a handy-dandy link so people could do their own research… I guess I have more respect for the intelligence of the average CA reader. After all, the image I posted contained lots of hints. It’s quite easy to find everything needed. I tried a few google searches and they all worked fine. For example: spear phishing nsa

– The underlying factual situation tends to be far more nuanced than how the media (and most of the rest of us) interpret it.

It is interesting to see you talk about how nuanced things are after claiming to have intentionally withheld information in a way which made it impossible for anyone to realize the material you were showing was not for the DNC hack, but rather, an entirely different set of cyberattacks.

As for your accusation that I didn’t provide a handy-dandy link so people could do their own research… I guess I have more respect for the intelligence of the average CA reader. After all, the image I posted contained lots of hints. It’s quite easy to find everything needed. I tried a few google searches and they all worked fine. For example: spear phishing nsa

Steve McIntyre should feel free to tell me how wrong I am in saying this, but I think any regular reader of this site would say choosing not to provide any reference, citation or link to material is not okay simply because a person can use internet searches to try to find the material being displayed. I am certain regular readers would not say it is okay to jump into a discussion of one topic with an unsourced, unreferenced figure for a different topic without saying a single word to indicate to readers you are introducing a new topic.

If you have any “respect for the intelligence of the average CA reader,” you should stop pretending what you did was normal or right. They aren’t dumb enough to fall for it.

Brandon, you couldn’t be more wrong. A topic is easily researched without links. Pete is right: intelligent readers know how to use the internet and links often turn out to be biased and worse than no link.

Steve McIntyre left a message for you up thread. It seems that you missed it. I urge you to look for it study it. He meant it kindly.

In the meantime, you should tender an apology to Pete for your rudeness.

2) Something very important to understand, that can be read directly from the diagram if you have eyes to see… there is quite a lot of interpretation involved in this work. As Brandon noted quite rightly, one must be careful not to go beyond that in our own conclusions of what is fact.

I have never said this. It might be something I agree with, and it is somewhat similar to things I have said, but I do not appreciate having people put words or ideas in my mouth.

3) Something worth considering: sometimes (I have no idea how often), material may be classified NOT because the material is secret… but because our knowledge is minimal and conclusions are much-less-than 100% certain. 60% this, 70% that. VERY easy to misunderstand, VERY easy to draw inappropriate conclusions. And therefore dangerous in the hands of those who are quick to jump to conclusions. Thus, a “national security risk” if the assessment is made public.

I have never heard this idea before. Do you have any reference for the legal absis for it being done? I know classification can be misused, but you didn’t mention this being done without legal basis so I assume that’s not what you have in mind.

1) Last year, Brian Krebs was hit with a HUGE attack (600+ Gbps incoming data)
…
2) In further analysis of these kinds of things, experts like Bruce Schneier concluded it was nation-states testing their power to potentially take down the whole Internet

This is misleading. There is no connection between the two things you refer to here. The first item is about a (massive) DDoS against a blog which discusses cybersecurity; the second is about DDoS attacks (and other related probes) against networks that manage parts of the internet. The only similarity is they both involve DDoS attacks. There is no reason to believe they are connected to one another.

As for Bruce Schneier’s conclusions, he did not conclude “it was nation-states” doing anything. He said “it feels like a large nation state.” That is not a conclusion but an impression. And according to his portrayal, only one nation state is involved, not many as you claim. Not that there is any evidence or analysis in the article to support anything it actually says. There isn’t.

3) Krebs invested a huge amount of time to find the real — and surprising — answer.

This is grossly misleading. Not only do we not know “the real – and surprising” answer is true as all there is is an analysis by one person claiming to show who the perpetrator was, but the analysis in question does nothing to implicate that person in any matter of the other two examples you mentioned. This is telling as the author is the same for each of the three articles you link to.

If there was some over-arching narrative to eb found between these three examples, the author who discusses all three would have brought it up. He hasn’t because there is none. Only you have suggested there is. You seem to have strung together three separate things into a narrative as though they were all highly connected when in reality they were entirely disjoint. There is nothing tying your narrative’s threads together. These three examples are not connected to one another.

Attribution: Not sure if it is worth responding to your comment on item 2. I was actually attempting to be friendly/nice in giving you credit for the idea 🙂 — while saying it in my own way: “one must be careful not to go beyond that in our own conclusions of what is fact.”

You’ll note that I didn’t put quote marks around the statement, thus I was not quoting you. What you explicitly DID say was that it “is not an appropriate reading of the chart” to interpret “adversary space” as “the adversary,” and you concluded with: “altering quotes in a way which distorts their meaning is not something we should do.” That’s what I was thinking of.

If you don’t want to receive credit for the idea, it’s no skin off my teeth 🙂

Reasons for classifying: My point is that AFAIK there are multiple dimensions of characteristics that can create “risk to national security.” One such category can relate to risk of misinterpretation. Enough said.

Krebs: Are you truly so certain in your assertion that “there is no connection” between these? Krebs discusses the connection in one of the articles I linked. Other posts go far more into it. This is one of his major ongoing topics. This post discusses and provides links to even more. As Schneier states about DDoS attacks and their recent patterns:
* “largely it’s a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.”
* “attacks are significantly larger than the ones they’re used to seeing.”
* “And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.”

Not-so-funny thing… Krebs described in significant detail (gotta keep digging, similar to CA 🙂 )… 300Gbps attack prior to 620Gbps attack on Krebs, prior to about double again, against OVH in France, and on and on.

Linkage: Brandon, you’re smarter than this. Are you truly so confident that: “These three examples are not connected to one another.”??!! Just google: Mirai DDoS. 250k hits…

This isn’t three isolated events. This is a tip of an iceberg. There are multiple investigators involved, multiple corporate research teams, multiple incidents on multiple continents. It’s not just one guy making spurious accusations against a kid. You can find discussion by people at Flashpoint, Level3, etc etc etc. Sorry, I don’t have time to do other’s homework.

Bottom line:
* Sophisticated, massive, ever-more-powerful attack tools have become generic
* They are created, deployed, and used, by kids, and grownups, and state actors… worldwide
* The impact is far bigger than most people can imagine
* There’s little reason to assume “state actors” are necessarily involved

Oh. Schneier: Was Schneier really open to other options in his “impression” (should I accuse you of a misquote?) of the recent developments? Did he imagine it could be anything OTHER than one or more “state actors?”*** (Schneier’s actual term.)

He never hinted at such. Nowhere did Schneier hint that these huge, rapidly doubling in scale and sophistication, DDoS attacks could be anything other than “state actors.” He certainly didn’t suggest undergrad college students. Funny thing: Since he wrote that, Schneier has never again even “felt” that a DDoS attack was likely a state actor. He’s no dummy! The evidence is obvious.

***FWIW, “state actors” is a non-specific plural form, which could be one, could be many, it’s unspecified. Every author quoted by Krebs used that form… including Schneier… and me.

my first instinct in Climategate was that Mr FOIA was young, university age. Parking the Climategate file at Realclimate reminded me of a famous Oxbridge incident in which a car was put on the roof of a college. It was an insouciant gesture that someone is more likely to do when young than old. Also, the familiarity with proxy servers, foreign to me, was apparently common knowledge among young people from handling music and videos and didn’t necessarily imply state intelligence agencies.

Reasons for classifying: My point is that AFAIK there are multiple dimensions of characteristics that can create “risk to national security.” One such category can relate to risk of misinterpretation. Enough said.

You made a very specific claim regarding how classification get used. I asked you if had any6 source showing the legal basis for such. This response doesn’t offer any. You can end a discussion fork with, “Enough said,” but if you choose not to provide any sort of basis for your claims, shutting off discussion of them will leave people with no reason to believe what you say.

Krebs: Are you truly so certain in your assertion that “there is no connection” between these? Krebs discusses the connection in one of the articles I linked.

No he did not. I’ll note despite your many claims, you have not provided a single quotation or direct reference showing what you claim. The three examples you provided were not connected to one another by any of the reporting on them. The author of the three pieces did not claim they were part of one campaign like you have potrayed.

Linkage: Brandon, you’re smarter than this. Are you truly so confident that: “These three examples are not connected to one another.”??!! Just google: Mirai DDoS. 250k hits…

This isn’t three isolated events. This is a tip of an iceberg.

You can claim this all you want, but the articles you’ve relied on do not do nothing to support your claims. Even your latest link does nothing to make this connection. It doesn’t even state the Mirai malware was involved in the example in question, instead reporting only that some people think it was.

More importantly, the author goes out of his way to point out the creator of the Mirai malware released the code for it, allowing anyone to use it. This means even if the Mirai malware was used in the first example, there is no reason to think that has anything to do with the third example. The third example discusses the original creator of the malware, not every person who has ever used it.

I’m done. No more time for this. Any more and we really lose value.

Yes, as long as you keep making things up, this will continue to be a waste of our time. That’s all you have done. You have not done a single thing to link any of your examples together except point to a link which says software developed by one person (supposedly) identified in one example was (supposedly) used in one of the other examples. Given that link explicitly states “anyone [could] build their own attack army using Mirai,” that (supposed) connection is disingenuous at best.

Hey, would you look at that? Two weeks after I first submitted that comment, had it go into moderation then disappear, I was able to get it through. Funny that. Too bad anyone reading the discussion will have moved on long before I was able to get this posted.

I gave this a quick read, and I think it’s unfortunate there are so few sources/quotations/references for what he says. One which jumped out at me right away was:

Members of this Committee as well as some members
of the Senate Intelligence Committee aren’t alone in their
irresponsibility. On January 20, 2017, the New York Times
reported that the intelligence services were in possession of
emails, records of financial transactions and transcripts of telephone intercepts, which proved that Roger Stone, Paul
Manafort, and Carter Page colluded with the Russians for the benefit of Donald Trump. So, where are these records?
Can this Committee or our intelligence agencies produce
them? I didn’t think so.

Claiming the intelligence community had records “which proved” such collusion seems like an enormous stretch for a news outlet like the New York Times to make. I find it difficult to believe it would have made such a claim back in January of this year. I tried finding the article he referred to, but the closest I could find was this one dated January 19th, 2017. It says things like:

Mr. Manafort is among at least three Trump campaign advisers whose possible links to Russia are under scrutiny. Two others are Carter Page, a businessman and former foreign policy adviser to the campaign, and Roger Stone, a longtime Republican operative.

Which make me think it may be what he is referring to in his opening statement since it mentions all three names and discusses the same general topic. However, that article repeatedly makes it clear no proof had been found at that time, and that people were merely being investigated. Either the New York Times published another article the next day which I didn’t find which gave a wildly different narrative than this one, or Roger Stone has simply fabricated this claim.

There are quite a few claims worth checking in his statement, but it seems like it may not be easy to do so.

I should mention Roger Stone attached some supporting documents which cover certain examples he discusses. That makes it easy to examine what he says about them. From what I can tell, his descriptions of those few events appear to be accurate other than him insisting untrue things other people said were lies. I don’t think he has any evidence to shoe those people lied as opposed to just making mistakes.

I tried checking into some of the other examples, but because of how vaguely many of them are described, I couldn’t make quick progress on the ones I tried. I think the New York Times article is the only one he provided a date for. That may turn out to be an unfortunate example to provide a specific date for if it turns out he was referring to the article I found.

Perjury requires intentionally lying. It is often difficult to prosecute people who say untrue things because of the possibility of them simply making a mistake. Going by his reputation, it wouldn’t surprise me if Roger Stone intentionally shaded the truth because he knew he could get away with it by just saying, “I guess my memory was wrong.”

The top Democrat on the House Intelligence Committee said Wednesday that there is now “more than circumstantial evidence” that Trump’s associates colluded with the Russians to interfere in the U.S. election.

In an interview on MSNBC’s “Meet the Press Daily,” host Chuck Todd asked if Rep. Adam Schiff, D-California, currently has a circumstantial case.

“Actually, no, Chuck. I can tell you that the case is more than that. And I can’t go into the particulars, but there is more than circumstantial evidence now,” Schiff said.

Asked if he’s seen direct evidence of collusion, Schiff said, “I don’t to want go into specifics, but I will say that there is evidence that is not circumstantial, and it very much worthy of investigation. So, that is what we ought to do.”

Yeah, Stone should amend that to read “The New York Times is hoping, praying and insinuating that the intel community has evidence to destroy the Presidency of Donald Trump. Where is the evidence? If they had it, it would have been leaked long ago.

They did leak it. And released it in two publications. No one else believed it. Even Trump’s loudest enemies think there must be something more. The correct answer may be: there is not anything more. That is why the agencies are so obsessed about finding something new. They did get something on Flynn, but unrelated to pre-election. They are still looking, maybe Mr. Mueller will bail them out with fresh sets of eyes.

“American law enforcement and intelligence agencies are examining intercepted communications and financial transactions as part of a broad investigation into possible links between Russian officials and associates of President-elect Donald J. Trump, including his former campaign chairman Paul Manafort, current and former senior American officials said.”

“Associates” is in the plural, indicating not just Manafort. Stone is later named. He is correct, he is included in the article’s first allegation.

By the way, distrust the articles at the website “just security.” They are consistently wrong, shallow and don’t appear to read deeply the documents they comment on.

Mine is about Brandon’s suggestion Stone’s statements are not backed up by a real article in the newspaper. My contrary “proof” is that article’s introductory paragraph. The fact that specific communications are not mentioned in the body of the article does not undermine the fact the article insinuates they exist.

The NYT article did not say anything about anybody having proof of anything. Stone’s statement on that was obviously incorrect. He got that wrong. Are you keeping up? The NYT did not say that the alleged intel community info they were reporting was proof. Read the article.

I am on Stone’s side, but when you are accusing the NYT of getting it wrong, get your own facts straight. Otherwise you hurt your own credibility and shoot your self in your little foot.

Roger Stone claimed the New York Times said there was proof he and the others mentioned colluded with Russia. The article I linked to mentioned the named individuals, but it does not say anything about there being proof those individuals colluded. What the article said is those individuals are being investigated for possible collusion.

There is an enormous difference between saying people are being investigated for collusion and saying there is proof they colluded. Stone’s claim seems to be completely baseless.

Probable cause can be rather flimsy, Ron. In this case it is just that. The fact remains that Stone was incorrect/hyperbolic in claiming that the NYT reported there was proof of Trump campaign collusion. Let’s give Brandon a cookie on this one and move on.

There is no need for probable cause to launch an investigation. Probable cause is what is needed to get search warrants and arrest people. Investigations can be started based on almost nothing. Many investigations are started because of a single complaint from a single person.

Ron Graf, whatever you may think about it, what I said is how law enforcement works throughout the nation. It has worked that way for decades. Whether or not you like it, I would hope you could at least recognize that is how things work and have worked for quite some time.

With the “Russia Russia” we are seeing federal investigations for treason and/or espionage launched against citizens with little of no evidence except for their voiced political views or that they have talked with foreigners. Today Senators Whitehouse and Blumenthal are announcing their certainty of Manafort’s and Flynn’s criminal wrongdoing.

Ron, those Dim Senators have not said that Manafort and Flynn are going to be prosecuted for treason or espionage. Any charges against them that come out of Mueller’s BS investigation will most likely involve some alleged financial/tax shenanigans unrelated to the campaign, or failure to register as a foreign agent.

I would like to see someone explain how the collusion alleged by the hysterical anti-Trump dim losers falls under treason or espionage statutes. DNC and Podesta emails are not state secrets.

What do the dim losers mean by collusion? Helping or encouraging the Russians to do some hacking? What kind of assistance could the Trump campaign give to the Russians, who are quite capable of hacking on their own? What if Trump promised to help the Russians, if they helped him? It’s remotely possible there is something there. Billionaire tycoon living the good life risks it all with a crazy gamble on trusting the Russians. Uh, huh. What we have here is a political witch hunt. Ask Alan Dershowitz.

I think similarities to climate hype are very interesting. There is a clear confirmation bias for anything hinting at russian interference. It seems a significant portion of the media consuming public just can’t stomach the idea that Trump is legitimately president of the USA.

I wish somebody on any side of the discussion would at least try to give a fair and clear depiction of things. Leaving aside the biased rhetoric of that piece which should be enough to disqualify it in a reasoned discussion, the claims it makes are disingenuous. Consider this:

So what was wrong with this story? Just one small thing: it was false. The story began to fall apart yesterday when Associated Press reported that Wisconsin – one of the states included in the original report that, for obvious reasons, caused the most excitement – did not, in fact, have its election systems targeted by Russian hackers:

If we assume all of that piece’s claims are true, what happened is of the 21 states identified as having electoral systems targeted by Russians, two did not. That’s saying less than 10% of the examples for a story are false therefore the story is false. That’s nonsense.

And that’s assuming both examples actually were false. The article offers no actual evidence to support that claim. A Californian official issued a statement denying its systems had been targeted, but that’s not evidence. Maybe that guy is right and the DHS is wrong. Maybe the DHS is right and that guy is wrong. You can’t say a story “collapsed completely” because one of 21 examples in it was false and another has been challenged.

Nevermind that the DHS never admitted it was wrong about Wisconsin electoral systems being targeted as that article implies. The DHS acknowledged the electoral systems were not directly targeted, but it says the Wisconsin systems which were targeted were targeted in order to try to find vulnerabilities in the electoral systems. That a cyber attack doesn’t directly target one system in no way means it is not directed at breaking into that system.

People keep talking about how the “Russia, Russia” hysteria comes from biased such and such, but at the same time they keep putting forth shoddy analyses filled with obvious errors, distortions and outright misrepresentations.

You’re right though, that is exactly like how things are with “climate hype.”

Eric, I generally don’t care to speak about people as individuals. Whatever that guy may be in general, the reality is that article is complete garbage. If people can’t recognize that (or explain how his claims are in any way coherent/justifiable), I don’t see how a useful discussion can be held. Crying foul over supposed bias on the other “side” rings hollow when one promotes blatantly incorrect material like this from their own “side.”

Greenwald may be better than most. If so, that just speaks to how low standards are all around.

Brandon, Greenwald is right on this one. Since 2 states say the DHS is wrong, that should cause us to question why the story was quickly published without the most rudimentary attempts at verification or any presentation of contrary evidence. That represents the deterioration of journalistic standards. You might not have been alive, but in the 1970’s people like Bob Woodward took months to check stories before publishing them.

And the track record of the media on Russia is terrible. The best evidence of their guilt is what happened at CNN when Scaramucci threatened to sue them. Summary firings of the reporters. Why would they do that if the article was accurate? There is no actual evidence of collusion between the Trump campaign and the Russian government. It’s a lie invented by Clinton campaign operatives on the night they lost the election.

dpy6629, I have no problem with questioning the DHS conclusions. I’d have had no problem with people questioning those conclusions had no state disagreed with them. Skepticism is healthy.

That’s not what Glenn Greenwald did though. He didn’t “question” the DHS conclusions. He said the DHS narrative completely fell apart. Saying something like, “The DHS conclusions are completely and utterly wrong!” is not questioning anything.

Steve, Re: Flood…
Flood’s comments on Tucker Carlson after his committee testimony pretty much agrees with your thoughts about his role in the whole thing. Fiction that will likely never be illuminated via “other” cable news or print media outlets.

Read it again, Brandon. Greenwald is never disingenuous. He is a lot smarter and in the know snip The DHS has obviously walked back/failed to support the claims regarding CA and WI, who say they were not hacked. So we are not too impressed with the claims on the other states allegedly attacked by Russian hackers. Greenwald provides an impressive list of the Russia hysteria stories that have already been proven to be false. We have still not seen any actual freaking evidence on any of this Russia BS.

I personally haven’t seen this level of media hysteria in my lifetime. It is right out of the 19th Century yellow journalism genre. People are becoming increasingly distrustful of corporate media and its totally justified.

Attribution of APT 28 & 29 is based on metadata “fingerprints” and ignores the possibility of false flag diversions. I am skeptical that any state intelligence apparatus would neglect to cover their cyber intrusions with false flags.

Greenwald has been a beacon of sanity. I am very impressed with him. Each day that one thinks that media hysteria could not become worse, it does.

The whole Russian bot thing looks to me like a house of cards – in which twitter feed opposing US policy in Syria (which I, for example, have done) gets DEFINED as spreading Russian disinformation – without determining that the accounts actually are “Russian”.

The deletion of offending twitter/facebook accounts without preserving them makes it impossible to verify. I scraped some recently deleted “antifa” twitter accounts deleted as being “Russian” from Google cache. They all looked to me like US-based satires of antifa – the humor seemed very up=to-date and local. Accounts like Beverly Hills Antifa, Mar-A-Lago Antifa, Honolulu Antifa (surfing against fascism). If a location is shown as “Russian”, it looks more likely to me to be a joke, than a deep revelation. The humor looks entirely American (in a good sense).

I won’t speak toward Glenn Greenwald’s writing on this topic as a whole, but the article linked to in the comment you’re responding to is complete rubbish. The facts he alleges in no way supports his argument.

The whole Russian bot thing looks to me like a house of cards – in which twitter feed opposing US policy in Syria (which I, for example, have done) gets DEFINED as spreading Russian disinformation – without determining that the accounts actually are “Russian”.

This is a non-sequitur. There is no reason an account spreading Russian disinformation must be Russian. Russian disinformation is disinformation created by Russians. It remains Russian disinformation if and when non-Russians spread it. From what yo usay here, you seem to be complaining people are failing to determine accounts are Russian before not saying those accounts are Russian.

I don’t know if you meant to make some other point than what you wound up writing, but seeing as you’ve highlighted yourself as an exemplar, I’ll point out you have in fact spread Russian disinformation on your Twitter feed before. me saying so doesn’t mean I’m calling you Russian though.

dpy6629, that article is not a great summary of anything. Even if one assumes the most favorable facts possible for Glenn Greenwald’s claims (that two states disagree with an assessment does not mean we should automatically assume those states are correct), his article is disingenuous rhetoric, at best.

There was an assessment which said 21 states had electoral systems targeted by Russians. Greenwald argues two states say they weren’t targeted, therefore the entire is collapsing. That’s nonsense. If 2 of the 21 examples were incorrect, that would leave 19 examples. Having fewer than 10% of one’s examples be wrong doesn’t mean a person’s case has completely collapsed.

And that’s assuming the facts most favorable for Greenwald. The best case interpretation is he has grossly exaggerated things.

Brandon, I think you are “casting atoms of scripture as dust before mens eyes” and ignoring the “main design.” Greenwald has seen so many Russia narrative stories collapse that he can see that this one may be proven false too.

The main design is that the Russian collusion and hacking narrative is frankly partisan media propagandizing in favor of a narrative invented by Hillary campaign operatives to explain her loss and Obama holdovers such as Clapper who recently was shown to be a liar concerning the trump tower wiretapping issue. Greenwald is expressing justified outrage at a corrupt media who simply serves their own partisan interests and biases.

I am mystified by the antipathy that Alperovitch bears toward his homeland. His family has no experience with today’s Russia, having emigrated from Russia upon the demise of the Soviet Union. The Russia of today is much different from its former self as a Soviet Republic. So why does Alperovitch hate it? Most Russians do not long for the old days of the Soviet Union. Alperovitch’s hate for Russia does not add up, considering the circumstances.

Also relevant is “Does Dimitri Alperovitch hate Russia?”
From his membership on the Atlantic Council till today it certainly seems so. This pro perpetual NATO club got funds from many countries and companies but non from Russia(n). Today the reach is far beyond the North Atlantic ocean’s coasts. http://www.atlanticcouncil.org/support/supporters

Maybe for business purposes. Like the exterminator who needs to find termites to make $, Alperovitch needs to find “Russians” in your computer. Spook the customer beforehand, show that his concerns are yours and rake it in. Never mind that no state intelligence service is dumb enough to smear its sticky fingers all over the heist, what does the customer know, anyway.

Key quote from the 5-4-16 email re DWS shows that Awan had DWS’s ipad password. I see on Google I’m not the first to have this:

I do not have access to her ipad password, but Imran does. I’ll call Geoff now.

With that kind of access it just shows how lax on security DWS was. (But we and Cozy Bear knew that.) It doesn’t indicate Awan had anything to do with G2 or hacks. If Awan was blackmailing DWS for a huge pay rate, extended employment and protections from police it could’ve been for many types of damaging insider info. We can only hope Awan eventually talks and does so truthfully. Also, the police are fighting legal battles right now with DWS to access the laptop that Awan left in what used to be a phone booth in a congressional office building.

Awan does appear to be unscrupulous. He had the complete confidence of DWS. Perhaps he was willing to do favors like reporting dirt he found while electronic eavesdropping on the DNC members through its offices and network. That type of thing may have led to DWS feeling comfortable to having him do tasks if the they were part of the G2 operation. Of course, he could have been recruited for cash by a foreign power. But Awan lacked the motivation or skills to be the DNC leaker, the Podesta hacker, G2 and DCleaks.com proprietor.

Does anyone else have a theory that explains all the evidence? Again, my proposed scenario is 1) Russian Cozy Bear stealthily collecting info for internal use, 2) Anti-Russian foreign state hack of Podesta, 3) Clinton damage control by registering DCleaks.com as contingent op to discredit Podesta doc should the appear, 4) Crowdstrike arrives and kicks neutralizes Cozy Bear, 5) Seth Rich under cover of the DNC Cozy Bear breach collects damaging material for leak to WL. 6) After WL announcement of Clinton emails coming out Clinton springs G2 plan into action for damage control. Clinton, then the nominee and new head of the party finds out from DWS of the DNC CB hack and possibly the Seth Rich incursion as well. Clinton hires Crowdstrike to implement G2 plan. Crowdstrike either uses a Fancy Bear attack or fabricates one to give G2 a plausible footprint. They say all FB got was Trump opposition research. On que the next day G2 debues with Trump oppo document, staking the media to be invested in the G2 as DNC hacker. 7) Anti-Russian hacker, seeing all of this and the Russians taking all the blame, goes to WL with the Podesta cache, which Assange accepts since it’s not Russia. 8) Seth Rich is murdered, and whether Clinton hired the killer or not everyone assumes he is the latest number on the list, including Assange and the Dem controlled DC Metro Police, everyone acts under that assumption.

Your comment pre-supposes that G2 needed to accumulate documents and was not being fed documents by the DNC/Clinton campaign. If Adam Carter is correct most all of G2’s documents were already in the public domain (or of low value) except WL.

We know G2 did summer-salts to claim both WL were his, yet he was unable to present direct evidence to DNC and only connection to Podesta by releasing email attachments in common with WL in advance of WL. But, those Podesta WL documents were mixed about equally with documents not in WL. And all were labeled DNC WL docs when none where. This is according to https://jimmysllama.com/2017/05/28/9867/

The last comment on that Jimmysllama’s blog points out that two of the G2 June 15, 18 released documents were also on the cf.7z and ngp-van.7z dossiers, showing that all the docs might be part of a larger archive that G2 was seemingly selecting from.

I don’t see how G2 having harmless documents dated January documents is evidence of anything. If G2 had made an appearance in January that would be different but the first we see of him is June 15, the day after the DNC press release of the hack. More importantly, G2 profile does not fit anything but a DNC/Clinton mis-information operation, and I suspect you agree.

The last comment on that Jimmysllama’s blog points out that two of the G2 June 15, 18 released documents were also on the cf.7z and ngp-van.7z dossiers, showing that all the docs might be part of a larger archive that G2 was seemingly selecting from.

you say :”most all of G2’s documents were already in the public domain (or of low value) except WL” These are very different points. Very few G2 documents in the ngpvan and cf dossiers were “already in the public domain”.

I agree that G2 documents are uninteresting, but perhaps that’s because Democratic Party of Virginia documents (pdf, doc, xls) tend to be uninteresting. Climategate DOCUMENTS, as opposed to emails, were pretty uninteresting as well.

In Climategate, the two extreme positions were leak vs Russian intelligence service, while the correct answer was lone wolf hacker. I may be over-extrapolating from previous experience, but I see the same here. I’ve seen no evidence that convincingly points to DNC false flag while excluding lone wolf hacker.

“G2 was steadily accumulating data starting at least as early as January 2016. Convincing evidence that G2 had installed exfiltration software. I haven’t published this yet, but have work in inventory”

I have boundless faith in your acumen but:

1. Does the fact that data originating in January 2016 was collected show that it was collected in January 2016? Assuming there is something in the metadata which can be used to identify when “collection” occurs, can’t the dates of “collection” be manipulated like any other piece of metadata?

2. Assuming the data was collected in January 2016, how can this show that exfiltration software was used when another candidate for the “data collector” is the DNC itself which might “collect” the same data for its own purposes? (I do not mean they would have done so originally for use in a hoax, or some other nefarious purposes, six months later. I mean that once a set of e-mails was collected the data could have been used to support a G2 hoax afterwards.)

3. Assuming exfiltration software was sitting on the DNC’s servers and that data was found collected and ready to be exfiltrated, couldn’t Crowdstrike repurpose that data to create a G2 hoax?

I’m not saying you are wrong about G2 being a third party hacker but, if that is the case, these are the questions I would be asking.

Your comment shows that you acknowledge that G2 is not acting like a typical hacker/leaker who would be motivated by to both make an impact and in G2’s case gain the credit. G2 seems to have and endless archive of documents at his disposal, overtly is attempting to claim credit while while covertly acting in a way that undermines that aim.

Consider the following:

1) He has many of the WL Podesta email attachments and wants to claim credit for the Podesta WL but fails to mention before Assange does. Even when he is doing back flips to gain attention and gain credit for WL all he would have to do after the June 15 appearance is to say, “By the way, not only did I hack the DNC but also the Clinton Campaign and here is a couple of samples of a cache that will be appearing in the future on WL.”

2) Instead, after Assange announces “Hillary Clinton emails” will be released, G2 assumes they are DNC emails that WL will release despite Assange not mentioning the DNC.

3) Despite this G2 never is able to cough up a match of a WL DNC email or attachment.

4) After the Crowdstrike and DNC say the only document Fancy Bear exfiltrated was the Trump oppo research G2 then releases it the next day, presumably to take credit yet has no DNC WL documents despite trying to take credit for DNC WL.

5) Every claim G2 makes appears to be a lie yet the US intelligence community and MSM accept him at his word except that he is Romanian.

6) The only reason anyone even accepts G2 as a hacker is his production of documents. But G2’s knowledge is incomplete on each attack and WL. He has a large archive of documents but never releases a damaging document to Clinton or DNC even when ones were going to be released on WL. He knows Assange has DNC docs before the public or DNC. He does not know WL has Podesta emails until Assange announces it.

Whether G2 is responsible for Wikileaks DNC or Podesta is a different issue than whether G2 is a hacker. Notwithstanding your comments, he feels more like a hacker to me than a DNC false flag. But there are more issues.

Tony Shaffer: Sean, we did it. Not me, but our guys, former members of NSA, retired intelligence officers used these tools to break in there and get the information out. That’s what the Democrats don’t want to talk about because it doesn’t fit their narrative.

I’m not interested in Warren Flood theories. G2 had access to hundreds of stale Word documents. He used one of these documents (originally authored by Warren Flood) to do a cut-and-paste. If you open old document and save, you get identical results e.g. I opened a G2 document in which metadata unchanged (most of them) and saved it: Presto.

A Bloomberg article reports that the Equifax hack was perpetrated by state actors. A security tol was present on teh Equifax network which recorded all activity by the hackers down to key stroke. Two teams of hackers were involved. The first was much less skilled than the second. The state actor hypothesis is supported by the facts that none of the stolen information has turned up in criminal channels and the tools used were originally used by Chinese state hackers.

Are comments closed on the October 2, post thread? I was trying to post this:

Steve,

“My own working hypothesis is that G2 was a lone wolf hacker. This is a surmise only. This surmise is NOT proven by the analysis provided above, but I do not believe that it is inconsistent with the information marshalled here. I’ll try to outline why I believe G2 to have been a lone wolf hacker on another occasion.”

The Adam Carter analysis still seems more convincing to me. If G2 was a lone wolf hacker, the DNC/Crowdstrike has been incredibly lucky. This lone wolf just happened to appear, at just at the right time, with a supply of meaningless DNC documents, a (sanitized?) version of the DNC’s Trump opposition file and a feeble Boris Badenov disguise. I think I will always favor a cui bono analysis over most computer metadata analysis because metadata is so easy to fake.

That having been said, the weakness of any cui bono style analysis is that sometimes coincidences do happen and sometimes people do get lucky (or unlucky). I admit you make a very reasonable case and I now see what you mean about some of these details not really fitting a false flag. I agree it doesn’t “feel” like the metadata discussed in your post has been faked, the observations seem too subtle for that.

I also think there is only one “l” in “marshaled” (unless this is one of those Canadian spelling things).

One Trackback

[…] came about because I criticized the general failure to get basic facts right over at Climate Audit, saying, "I think it would be helpful for people to agree to set of basic facts/terminology." I meant that. […]